Prefetch on a Windows Server OS) or added through the application of a patch or update (e.g. instances where prefetch is disabled due to an SSD)Ĭells in yellow indicate that the artifact is associated with a feature that is disabled by default but that may be enabled by an administrator (e.g. The table below details some of the artifacts which evidence program execution and whether they are available for different versions of the Windows Operating System.Ĭells in Green are where the artifact is available by default, note some artifacts may not be available despite a Green cell (e.g. The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis. A myriad of other posts assisted in confirming details of specific artifacts and I have referenced those below. This isn't my first time reading any of those posts and I'm sure it wont be my last. I should highlight up front that some really fantastic blog posts from Harlan Carvey, Andrea Fortuna, Corey Harrell and Mary Singh gave me a significant leg up. With that as my motivation, I set about to document different artifacts which can be used to evidence program execution (both user attributable and otherwise) as available in various different versions of Windows. As such, I found myself wracking my brain for all the user attributable artifacts which evidence program execution (on an OS I hadn't analysed for a short while).įurthermore, David Cowen in his recent Sunday Funday Challenge over at HECFBlog had posed a similar question regarding evidence of execution. This week I have been working a case where I was required to identify users on a Windows Server 2003 system who had knowledge of, or had run, a particular unauthorised executable.
0 Comments
Leave a Reply. |