\Users\<username>\AppData\Local\Microsoft\Windows\Notifications
you can find the database appdb.dat
(before Windows anniversary) or wpndatabase.db
(after Windows Anniversary).Notification
table with all the notifications (in xml format) that may contain interesting data.\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db
This database can be open with a SQLite tool or with the tool WxTCmd which generates 2 files that can be opened with the tool TimeLine Explorer.$Recycle.bin
in the root of the drive (C:\$Reciycle.bin
).
When a file is deleted in this folder are created 2 files:$I{id}
: File information (date of when it was deleted}$R{id}
: Content of the filerifiuti-vista.exe
for Vista – Win10).\System Volume Information
from the roof of the file system and the name is composed by UIDs as in the following image:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore
contains the files and keys to not backup:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
also contains configuration information about the Volume Shadow Copies
.C:\Usuarios\\AppData\Roaming\Microsoft{Excel|Word|Powerpoint}\
C:\Users\\AppData\Roaming\Microsoft\Windows\Recent\
C:\Users\\AppData\Roaming\Microsoft\Office\Recent\
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\
.
The jumplists are named following the format {id}.autmaticDestinations-ms
where the initial ID is the ID of the application.C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\
and they are created by the application usually because something important has happened with the file (maybe marked as favorite)C:\Windows\inf\setupapi.dev.log
to get the timestamps about when the USB connection was produced (search for Section start
).References
and In-Reply-To
headers you can find the ID of the messages:\Users\<username>\AppData\Local\Comms\Unistore\data\3\
. The emails are saved with .dat
extension.\Users\<username>\AppData\Local\Comms\UnistoreDB\store.vol
.vol
to .edb
and you can use the tool ESEDatabaseView to open it. Inside the Message
table you can see the emails.Mapi-Client-Submit-Time
: Time of the system when the email was sentMapi-Conversation-Index
: Number of children message of the thread and timestamp of each message of the threadMapi-Entry-ID
: Message identifier.Mappi-Message-Flags
and Pr_last_Verb-Executed
: Information about the MAPI client (message read? no read? responded? redirected? out of the office?)%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook
(WinXP)%USERPROFILE%\AppData\Local\Microsoft\Outlook
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows Messagin Subsystem\Profiles\Outlook
indicates the file that is being used.%APPDATA%\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook
-> IE10%APPDATA%\Local\Microsoft\InetCache\Content.Outlook
-> IE11+\Users\%USERNAME%\AppData\Roaming\Thunderbird\Profiles
thumbs.db
file is created. This db stores the thumbnails of the images of the folder even if they are deleted.
in winXP and WIn8-8.1 this file is created automatically. In Win7/Win10, it's created automatically if it's accessed via an UNC path (\IP\folder...).%userprofile%\AppData\Local\Microsoft\Windows\Explorer
as a number of files with the label thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each sized database.HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
registry files in %Windir%\System32\Config\RegBack\
.
Also from these versions, the registry file %UserProfile%\{User}\AppData\Local\Microsoft\Windows\USERCLASS.DAT
is created saving information about program executions.SAM\Domains\Account\Users
you can obtain the username, the RID, last logon, last failed logon, login counter, password policy and when the account was created. In order to get the hashes you also need the file/hive SYSTEM.NTUSER.DAT
in the path Software\Microsoft\Current Version\Search\RecentApps
you can subkeys with information about the application executed, last time it was executed, and number of times it was launched.SYSTEM
file with a registry editor and inside the path SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
you can find the information about the applications executed by each user (note the {SID}
in the path) and at what time they were executed (the time is inside the Data value of the registry)..pf
files inside the path: C:\Windows\Prefetch
.
there is a limit of 128 files in XP/VISTA/WIN7 and 1024 files in Win8/Win10.{program_name}-{hash}.pf
(the hash is based on the path and arguments of the executable). In W10 these files are compressed.
Note that the sole presence of the file indicates that the program was executed at some point.C:\Windows\Prefetch\Layout.ini
contains the names of the folders of the files that are prefetched. This file contains information about the number of the executions, dates of the execution and files open by the program.C:\Windows\Prefetch\Ag*.db
.C:\Windows\System32\sru\SRUDB.dat
.SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache
SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache
C:\Windows\AppCompat\Programas\Amcache.hve
Amcache_Unassociated file entries
.C:\Windows\AppCompat\Programs\RecentFileCache.bcf
and it contains information about the recent execution of some binaries.C:\Windows\Tasks
or C:\Windows\System32\Tasks
and read them as XML.SYSTEM\ControlSet001\Services
. You can see what is going to be executed and when.\ProgramData\Microsoft\Windows\AppRepository\
This repository has a log with each application installed in the system inside the database StateRepository-Machine.srd
.Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Applications\
And uninstalled applications in: Software\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deleted\
C:\Windows\System32\config
before Windows Vista and in C:\Windows\System32\winevt\Logs
after Windows Vista.HKLM\SYSTEM\CurrentControlSet\services\EventLog\{Application|System|Security}
eventvwr.msc
) or with other tools like Event Log Explorer or Evtx Explorer/EvtxECmd.C:\Windows\System32\winevt\Security.evtx
.PSexec -U-
RunAs
is used or the user access to a network service with different credentials.