-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changes for readthedocs documentation
- Loading branch information
1 parent
8b6a2ca
commit c908466
Showing
13 changed files
with
15 additions
and
452 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,94 +1 @@ | ||
| ## Google Chrome/Chromium disk cache | ||
|
|
||
| Google Chrome/Chromium uses disk cache to store resources fetched from the web | ||
| so that they can be accessed quickly at a latter time if needed. | ||
|
|
||
| ### Cache version 2 | ||
|
|
||
| On Linux Google Chrome/Chromium 8 | ||
| ``` | ||
| /home/$USER/.cache/chromium/Cache/ | ||
| /home/$USER/.cache/google-chrome/Cache/ | ||
| ``` | ||
|
|
||
| On Linux Google Chrome/Chromium 9 to 51 | ||
| ``` | ||
| /home/$USER/.cache/chromium/$PROFILE/Cache/ | ||
| /home/$USER/.cache/google-chrome/$PROFILE/Cache/ | ||
| ``` | ||
|
|
||
| On MacOS | ||
| ``` | ||
| /Users/$USER/Library/Caches/Google/Chrome/$PROFILE/Cache/ | ||
| ``` | ||
|
|
||
| Where the $PROFILE contains the name of the profile. The default profile is | ||
| named "Default". | ||
|
|
||
| On Windows XP | ||
| ``` | ||
| C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\%PROFILE%\Cache\ | ||
| ``` | ||
|
|
||
| On Windows Vista, 7 | ||
| ``` | ||
| C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Cache\ | ||
| ``` | ||
|
|
||
| Where the %PROFILE% contains the name of the profile. The default profile is | ||
| named "Default". | ||
|
|
||
| ### Media Cache | ||
|
|
||
| ``` | ||
| /home/$USER/.cache/chromium/$PROFILE/Media Cache/ | ||
| /home/$USER/.cache/google-chrome/$PROFILE/Media Cache/ | ||
| ``` | ||
|
|
||
| ### Application Cache | ||
|
|
||
| ``` | ||
| /home/$USER/.config/chromium/$PROFILE/Application Cache/Cache/ | ||
| /home/$USER/.config/google-chrome/$PROFILE/Application Cache/Cache/ | ||
| ``` | ||
|
|
||
| ### GPUCache | ||
|
|
||
| On Linux Google Chrome/Chromium 68 | ||
| ``` | ||
| /home/$USER/.config/google-chrome/$PROFILE/GPUCache/ | ||
| /home/$USER/.config/google-chrome/$PROFILE/Storage/ext/$EXTENSION/def/GPUCache/ | ||
| /home/$USER/.config/google-chrome/ShaderCache/GPUCache/ | ||
| ``` | ||
|
|
||
| Where the $EXTENSION contains the identifier of the extension such as | ||
| "nmmhkkegccagdldgiimedpiccmgmieda". | ||
|
|
||
| ### References | ||
|
|
||
| * [Forensicswiki: Google Chrome](https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome) | ||
| * [Example Google Chrome Cache files](https://github.com/dfirlabs/chrome-specimens/tree/master/specimens), by chrome-specimens project | ||
|
|
||
| ### Test versions | ||
|
|
||
| Software | Version | Platform | ||
| -- | -- | -- | ||
| Google Chrome | 8.0.552.237 | Linux 32-bit | ||
| Google Chrome | 9.0.597.107 | Linux 32-bit | ||
| Google Chrome | 10.0.648.205 | Linux 32-bit | ||
| Google Chrome | 11.0.696.60 | Linux 32-bit | ||
| Google Chrome | 12.0.742.124 | Linux 32-bit | ||
| Google Chrome | 13.0.782.220 | Linux 32-bit | ||
| Google Chrome | 14.0.835.186 | Linux 32-bit | ||
| Google Chrome | 15.0.874.121 | Linux 32-bit | ||
| Google Chrome | 16.0.912.77 | Linux 32-bit | ||
| Google Chrome | 17.0.963.83 | Linux 32-bit | ||
| Google Chrome | 18.0.1025.168 | Linux 32-bit | ||
| Google Chrome | 19.0.1084.52 | Linux 32-bit | ||
| Google Chrome | 20.0.1132.57 | Linux 32-bit | ||
| Google Chrome | 31.0.1650.48 | Linux 32-bit | ||
| Google Chrome | 40.0.2214.115 | Linux 64-bit | ||
| Google Chrome | 50.0.2661.75 | Linux 64-bit | ||
| Google Chrome | 51.0.2704.84 | Linux 64-bit | ||
| Google Chrome | 68.0.3440.84 | Linux 64-bit | ||
|
|
||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/ChromeCache.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,69 +1 @@ | ||
| ## Mozilla Firefox disk cache | ||
|
|
||
| Mozilla Firefox uses disk cache to store resources fetched from the web so that | ||
| they can be accessed quickly at a latter time if needed. | ||
|
|
||
| There are 2 known disk cache formats: | ||
|
|
||
| * Mozilla Firefox disk cache format version 1 | ||
| * Mozilla Firefox disk cache format version 2 | ||
|
|
||
| ### Firefox 1 to 31 | ||
|
|
||
| Mozilla Firefox 1 to 31 use the Mozilla Firefox disk cache format version 1. | ||
|
|
||
| On Linux Mozilla Firefox 1 to 20 | ||
| ``` | ||
| /home/$USER/.mozilla/firefox/$PROFILE.default/Cache/ | ||
| ``` | ||
|
|
||
| On Linux Mozilla Firefox 21 to 31 | ||
| ``` | ||
| /home/$USER/.cache/mozilla/firefox/$PROFILE.default/Cache/ | ||
| ``` | ||
|
|
||
| On MacOS | ||
| ``` | ||
| /Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/ | ||
| ``` | ||
|
|
||
| On Windows XP | ||
| ``` | ||
| C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\ | ||
| ``` | ||
|
|
||
| On Windows Vista, 7 | ||
| ``` | ||
| C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\ | ||
| ``` | ||
|
|
||
| ### Firefox 32 and later | ||
|
|
||
| Mozilla Firefox 32 and later use the Mozilla Firefox disk cache format version | ||
| 2. | ||
|
|
||
| On Linux | ||
| ``` | ||
| /home/$USER/.mozilla/firefox/$PROFILE.default/cache2/ | ||
| ``` | ||
|
|
||
| On MacOS | ||
| ``` | ||
| /Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/cache2/ | ||
| ``` | ||
|
|
||
| On Windows XP | ||
| ``` | ||
| C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\cache2\ | ||
| ``` | ||
|
|
||
| On Windows Vista, 7 | ||
| ``` | ||
| C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\cache2\ | ||
| ``` | ||
|
|
||
| ### References | ||
|
|
||
| * [Forensicswiki: Mozilla Firefox](https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox) | ||
| * [Example Mozilla Firefox Cache files](https://github.com/dfirlabs/firefox-specimens/tree/master/specimens), by firefox-specimens project | ||
|
|
||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/webbrowser/FirefoxCache.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1 @@ | ||
| ## AMCache | ||
|
|
||
| The AMCache is an stores metadata about program installation and execution for | ||
| Windows Application Compatibility. | ||
|
|
||
| The AMCache can be found on Windows 7 and Server 2008 R2 and later in the file: | ||
|
|
||
| ``` | ||
| C:\Windows\AppCompat\Programs\Amcache.hve | ||
| ``` | ||
|
|
||
| This file uses the Windows NT Registry File (REGF) format. | ||
|
|
||
| ### References | ||
|
|
||
| * [ForensicsWiki: AMCache](https://forensicswiki.xyz/wiki/index.php?title=AMCache) | ||
| * [ForensicsWiki: Windows Application Compatibility](https://forensicswiki.xyz/wiki/index.php?title=Windows_Application_Compatibility) | ||
| * [Windows NT Registry File (REGF) format specification](https://github.com/libyal/libregf/blob/master/documentation/Windows%20NT%20Registry%20File%20(REGF)%20format.asciidoc) | ||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/windows/AMCache.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,28 +1 @@ | ||
| ## Active Desktop | ||
|
|
||
| Active Desktop was a feature of Microsoft Internet Explorer 4.0's that added | ||
| support for HTML content on the desktop, along with other features. | ||
|
|
||
| Malware is known to use Active Desktop settings and components for persitence. | ||
|
|
||
| ### Settings | ||
|
|
||
| The Active Desktop settings can be found in the Windows Registry key: | ||
|
|
||
| ``` | ||
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General | ||
| ``` | ||
|
|
||
| ### Components | ||
|
|
||
| The Active Desktop components can be found in the sub keys of the Windows | ||
| Registry key: | ||
|
|
||
| ``` | ||
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components | ||
| ``` | ||
|
|
||
| ### References | ||
|
|
||
| * [Wikipedia: Active Desktop](https://en.wikipedia.org/wiki/Active_Desktop) | ||
| * [Sophos: Troj/DwnLdr-GWV](https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-GWV/detailed-analysis.aspx) | ||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActiveDesktop.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1 @@ | ||
| ## Activities Cache Database | ||
|
|
||
| Windows activity history keeps track of activity on a device, such as apps and | ||
| services usage, files opened, and websites browsed. This activity history is | ||
| stored locally on the device in a SQLite database file: | ||
|
|
||
| ``` | ||
| C:\Users\%USERNAME%\AppData\Local\ConnectedDevicesPlatform\L.%USERNAME%\ActivitiesCache.db | ||
| ``` | ||
|
|
||
| ### Versions | ||
|
|
||
| The activity cache databases were first observed on Windows 10 1803. | ||
|
|
||
| ### References | ||
|
|
||
| * [Windows 10 activity history and your privacy](https://support.microsoft.com/en-us/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | ||
| * [CCL Group: Windows 10 Timeline Forensic Artefacts](https://cclgroupltd.com/2018/05/03/windows-10-timeline-forensic-artefacts/) | ||
| * [Salt Forensics: Windows 10 Timeline – Initial Review of Forensic Artefacts](https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/amp/) | ||
| * [An examination of Win10 ActivitiesCache.db database](https://kacos2000.github.io/WindowsTimeline/WindowsTimeline.pdf) | ||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/windows/ActivitiesCacheDatabase.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,43 +1 @@ | ||
| ## Environment variables | ||
|
|
||
| Name | Scope | Description | ||
| --- | --- | --- | ||
| `%AllUsersProfile%` | System | Path of the of the "All Users" or "Common" profile directory | ||
| `%APPX_PROCESS%` | User | .NET applications will attempt to load WinAppXRT.dll from %PATH% | ||
| `%COMMONPROGRAMFILES%` | System | Path of the common program files folder | ||
| `%COMMONPROGRAMFILES(X86)%` | System | Path of the 32-bit common program files folder on a 64-bit Windows installation | ||
| `%ComSpec%` | System | Path of the command processor, typically "cmd.exe" | ||
| `%DriverData%` | System | Path of the directory used for temporary state files of user-mode drivers | ||
| `%PATH%` | System and User | Ordered list of paths of directories that will be searched on execution request without a specific path | ||
| `%ProfilesDirectory%` | System | Path of a directory that contains the users' profile directories, typically "%SystemDrive%\Users" | ||
| `%ProgramData%` | System | Path of the "Program Data" directory | ||
| `%ProgramFiles%` | System | Path of the "Program Files" directory | ||
| `%ProgramFiles(x86)%` | System | Path of the 32-bit "Program Files" directory on a 64-bit Windows installation | ||
| `%SystemDrive%` | System | Letter of the drive in which the system directory is located, typically "C:" | ||
| `%SystemRoot%` | System | Path of the system directory, typically "C:\Windows" | ||
| `%TEMP%` | User | | ||
| `%WinDir%` | System | Path of the Windows directory, typically "C:\Windows" | ||
|
|
||
| ### References | ||
|
|
||
| * [AllUsersProfile](http://environmentvariables.org/AllUsersProfile) | ||
| * [CommonProgramFiles](http://environmentvariables.org/CommonProgramFiles) | ||
| * [ComSpec](http://environmentvariables.org/ComSpec) | ||
| * [Path](http://environmentvariables.org/Path) | ||
| * [ProgramFiles](http://environmentvariables.org/ProgramFiles) | ||
| * [SystemDrive](http://environmentvariables.org/SystemDrive) | ||
| * [SystemRoot](http://environmentvariables.org/SystemRoot) | ||
| * [Temp](http://environmentvariables.org/Temp) | ||
| * [WinDir](http://environmentvariables.org/WinDir) | ||
| * [Recognized Environment Variables](https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables) | ||
| * [Driver Package Isolation - DriverData and ProgramData](https://docs.microsoft.com/en-us/windows-hardware/drivers/develop/driver-isolation#driverdata-and-programdata) | ||
| * [About User Profiles](https://msdn.microsoft.com/en-us/library/windows/desktop/bb776892(v=vs.85).aspx) | ||
|
|
||
| #### APPX_PROCESS environment variable | ||
|
|
||
| * [Beyond good ol’ Run key, Part 17](http://www.hexacorn.com/blog/2014/08/31/beyond-good-ol-run-key-part-17/) | ||
| * [.NET Framework 4.6 allows side loading of Windows API Set DLL](https://www.securify.nl/advisory/SFY20160201/_net-framework-4_6-allows-side-loading-of-windows-api-set-dll.html) | ||
|
|
||
| #### Windows Registry environment variable expansion | ||
|
|
||
| * [Expanding Environment Variables](https://msdn.microsoft.com/en-us/library/cc231436.aspx) | ||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EnvironmentVariables.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,61 +1 @@ | ||
| ## Windows Event Log | ||
|
|
||
| The Windows Event Log is used by Microsoft Windows to store application and | ||
| system logs. Typical Event Logs are: Application, System, and Security | ||
|
|
||
| Entries in Event Log files contain very little human-readable data. EventViewer, | ||
| which is the Windows native Event Log viewing application, makes Event Log | ||
| entries human-readable by combining pre-defined message string templates, which | ||
| are stored in DLLs and EXEs, with variable data stored in the Event Log entry. | ||
|
|
||
| The combination of event identifier, its qualifiers and provider is needed to | ||
| determine the message string template for a specific Event Log entry. | ||
| Information about Windows Event Log providers can be found in the Windows | ||
| Registry. | ||
|
|
||
| A common misconception is that event identifiers are globally unique, however | ||
| they are only unique in the context of a specific version of a specific | ||
| Log provider. | ||
|
|
||
| ### Windows NT4 | ||
|
|
||
| On Windows NT4 the Event Logs files can be found in: | ||
|
|
||
| ``` | ||
| C:\WINNT\System32\config | ||
| ``` | ||
|
|
||
| Windows NT4 uses the Windows Event Log (EVT) format. | ||
|
|
||
| ### Windows 2000, XP and 2003 | ||
|
|
||
| On Windows 2000, XP and 2003 the Event Logs files can be found in: | ||
|
|
||
| ``` | ||
| C:\Windows\System32\config | ||
| ``` | ||
|
|
||
| Windows 2000, XP and 2003 uses the Windows Event Log (EVT) format. | ||
|
|
||
| ### Windows Vista and later | ||
|
|
||
| On Windows Vista and later the Event Logs files can be found in: | ||
|
|
||
| ``` | ||
| C:\Windows\System32\winevt\Logs\ | ||
| ``` | ||
|
|
||
| Windows Vista and later uses the Windows XML Event Log (EVTX) format. | ||
|
|
||
| ### References | ||
|
|
||
| * [Wikipedia: Event Viewer](https://en.wikipedia.org/wiki/Event_Viewer) | ||
| * [Wikipedia: Log file](https://en.wikipedia.org/wiki/Log_file) | ||
| * [ForensicsWiki: Windows Event Log (EVT)](https://forensicswiki.xyz/wiki/index.php?title=Windows_Event_Log_(EVT)) | ||
| * [ForensicsWiki: Windows XML Event Log (EVTX)](https://forensicswiki.xyz/wiki/index.php?title=Windows_XML_Event_Log_(EVTX)) | ||
| * [Windows Event Viewer Log (EVT) format](https://github.com/libyal/libevt/blob/master/documentation/Windows%20Event%20Log%20(EVT)%20format.asciidoc) | ||
| * [Windows XML Event Log (EVTX) format](https://github.com/libyal/libevtx/blob/master/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc) | ||
| * [EventLog keys](https://github.com/libyal/winreg-kb/blob/master/documentation/EventLog%20keys.asciidoc) | ||
| * [Sysinternals Sysmon unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed) | ||
| * [Export corrupts Windows Event Log files](https://blog.fox-it.com/2019/06/04/export-corrupts-windows-event-log-files/) | ||
|
|
||
| Moved to: https://artifacts-kb.readthedocs.io/en/latest/sources/windows/EventLog.html |
Oops, something went wrong.