Recently opened files from Windows Explorer
C\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent
Network Shortcuts
C\Users\<user name>\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Items recently ran from the "Run" bar
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
ComDlg32 recently opened/saved files
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
ComDlg32 recently opened/saved folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Recent Docs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
EXE to main window title cache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
User Assist
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Temp folder
C\Users\<user name>\AppData\Local\Temp
Recycle Bin
C\$Recycle.Bin
Last logged on user
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnSAMUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser
Event logs
C\Windows\System32\config or C\Windows\System32\winevt\Logs
Last key edited by RegEdit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
List of Installed USB devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
List of installed USB storage devices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
SetupAPI Device Log
C\windows\inf\setupapi.dev.log
Windows Prefetch
C\Windows\Prefetch
http://redwolfcomputerforensics.com/downloads/prefetch_parser.zip
Internet Explorer Temp Folder (IE Cache)
C\Users\<user name>\AppData\Local\Microsoft\Windows\Temporary Internet Files
IE Cookies
C\Users\<user name>\AppData\Roaming\Microsoft\Windows\Cookies
Internet Explorer History
C\Users\<user name>\AppData\Local\Microsoft\Windows\History
IE Typed URLs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedUrls
Internet Explorer Forms AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1
Internet Explorer Password AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Printer spool folder
C\Windows\System32\spool\PRINTERS
Firefox Cached Pages
C\Users\<user name>\AppData\Local\Mozilla\Firefox\Profiles\<some profile number>.default\Cache
Firefox Form History File
C\Users\<user name>\AppData\Roaming\Mozilla\Firefox\Profiles\<some profile number>.default\formhistory.sqlite
Firefox Passwords File
C\Users\<user name>\AppData\Roaming\Mozilla\Firefox\Profiles\<some profile number>.default\signons.sqlite
Firefox Cookies
C\Users\<user name>\AppData\Roaming\Mozilla\Firefox\Profiles\<some profile number>.default\cookies.sqlite
Recently Opened Office Docs
C\Users\<user name>\AppData\Roaming\Microsoft\Office\Recent
Files recently accessed by Windows Media Player
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentFileList
Offline Outlook Mailbox
C\Users\<user name>\AppData\Local\Microsoft\Outlook\outlook.ost
Temp folder for Outlook attachments
C\Users\<user name>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\<random value>\
Why you care Here is were Outlook 2007 sometimes puts attachments you directly open from an email. If you are trying to find the exact of this folder, look in the reg key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security
Flash Cookies
C\Users\<user name>\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\<random value>\
No comments:
Post a Comment