fatcousin
// evidence type

windows endpoint artifacts (lnk / shellbags)

lnk export · shellbags · jumplists · amcache · shimcache · recentdocs. user activity reconstruction when you have analyst collections, not a full image.

tools
13
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. lnk file parserdrop a Windows .lnk shortcut · target path · timestamps · machine ID · volume serial · network share info · runs locally
  2. windows lnk deep analyzerdrop Windows .lnk shortcut files · parse full shell link structure · target path · command line · machine GUID · volume serial · timestamps · network share · tracker block · export CSV · runs locally
  3. lnk timeline correlatordrop multiple Windows .lnk shortcuts · unified FILETIME timeline · machine GUID · volume serial · dedupe targets · CSV export · runs locally
  4. shellbags analyzerdrop a Windows registry hive · extract shellbag entries · folder browsing history · paths · timestamps · export CSV · runs locally
  5. windows jump list parserdrop .automaticDestinations-ms or .customDestinations-ms · parse OLE structure · extract recently accessed files per app · timestamps · AppIDs · export CSV · runs locally
  6. jump list cross-application timeline correlatordrop multiple jlecmd csv exports · unified timeline · cross-app document access · network and removable flags · export csv · runs locally
  7. amcache parserdrop Amcache.hve · parse executed binaries · SHA1 hashes · file paths · first run timestamps · program inventory · export CSV · runs locally
  8. shimcache parserdrop SYSTEM hive · parse AppCompatCache · execution traces · deleted binary detection · timestamps · heuristic · export CSV · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. recentdocs mru deep analyzerdrop ntuser.dat reg export · parse recentdocs mru · office file mru · sensitive file type flags · export csv · runs locally
  2. user workstation affinity mapperdrop months of 4624 logon evtx csv · build statistical profile of which user uses which machine · compute affinity scores · flag when a user logs into an unusual machine · detect account takeover by changed workstation usage · runs locally
  3. browser download history correlatordrop chrome history sqlite and optional mft csv · parse download records · correlate against filesystem evidence · identify downloaded files that were deleted · surface download chain from referrer to file to execution · runs locally
  4. print spooler artifact forensic analyzerdrop shd spool files evtx csv registry exports · print job history · printnightmare indicators · export csv · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready