The Presenter
Introduction to Forensic Expertise
Toqa Ezzatly
Cybersecurity Engineer
Professional Profile
Digital Forensics enthusiast and aspiring Red Teamer with a strong foundation in Windows OS internals, cybersecurity, and network forensics. This reference guide provides practical insights into Windows artifacts and investigative methodologies, reflecting real-world bug hunting and security analysis experience.
toqaezzatly@gmail.com
https://toqaezzatly.github.io/toqaezzatly/
Program Execution
Evidence of applications triggered on the system
UserAssist
NTUSER.DAT\Software\...\UserAssistTracks GUI-based app launches.
Deep Tech SpecsShimcache
SYSTEM\...\AppCompatCacheIdentifies executables present/run.
Deep Tech SpecsPrefetch (.pf)
C:\Windows\PrefetchOptimization logs with run counts.
Deep Tech SpecsAmcache.hve
C:\Windows\AppCompat\Programs\Amcache.hveFull path & SHA1 execution history.
Deep Tech SpecsWindows Timeline
ActivitiesCache.dbRecent app & file usage (WIN+TAB).
Deep Tech SpecsRecentApps
NTUSER.DAT\...\RecentAppsTracks recent GUI executions.
Deep Tech SpecsBAM / DAM
SYSTEM\...\Services\bam\UserSettingsModern Win10 Background execution.
Deep Tech SpecsFile & Folder Access
Evidence of user knowledge and specific data access
Shell Bags
USRCLASS.DAT\...\Shell\BagsFolder browsing history (Local/USB).
Deep Tech SpecsLNK Files
%USERPROFILE%\...\RecentProves file opening via shortcuts.
Deep Tech SpecsRecentDocs
NTUSER.DAT\...\RecentDocsRecently opened files & folders.
Deep Tech SpecsOffice FileMRU
NTUSER.DAT\...\OfficeMS Office document access history.
Deep Tech SpecsThumbcache
%USERPROFILE%\...\ExplorerViewed images & documents.
Deep Tech SpecsThumbs.db
Hidden image foldersLegacy thumbnail artifacts.
Deep Tech SpecsJump Lists
%USERPROFILE%\...\AutomaticDestinationsTaskbar frequent & pinned items.
Deep Tech SpecsBrowsing Activity
Online history, downloads, and web-based exfiltration
Browser History
Chrome: History | IE: WebCacheV*.datURLs visited, visit counts, and timestamps.
Browser Downloads
Chrome: Downloads | Firefox: downloads.sqliteTracks downloaded files and source URLs.
Browser Cookies
Chrome: Local Storage | Firefox: cookies.sqliteUser session and authentication tracking.
Browser Cache
Chrome: Cache | IE: Temporary Internet FilesCached resources and page remnants.
Session Restore
Chrome/Firefox/IE session filesOpen tabs and session state for browser recovery.
Zone.Identifier (ADS)
NTFS Alternate Data StreamsProves downloaded file origin and trust zone.
Browsing Activity
Online history, downloads, and web-based exfiltration
Browser History
Chrome: History | IE: WebCacheV*.datURLs visited, visit counts, and timestamps.
Browser Downloads
Chrome: Downloads | Firefox: downloads.sqliteTracks downloaded files and source URLs.
Browser Cookies
Chrome: Local Storage | Firefox: cookies.sqliteUser session and authentication tracking.
Browser Cache
Chrome: Cache | IE: Temporary Internet FilesCached resources and page remnants.
Session Restore
Chrome/Firefox/IE session filesOpen tabs and session state for browser recovery.
Zone.Identifier (ADS)
NTFS Alternate Data StreamsProves downloaded file origin and trust zone.
External Devices
USB connections and exfiltration attempts
USBSTOR Registry
SYSTEM\CurrentControlSet\Enum\USBSTORVendor, Product, and Serial Numbers.
SetupAPI Logs
C:\Windows\inf\setupapi.dev.logFirst connection timestamps.
Accounts & Authentication
Logons, remote access, persistence
Logon Events
Security.evtxSuccessful & failed logons.
Deep Tech SpecsRDP Usage
Event IDs 4778/4779Remote interactive sessions.
Deep Tech SpecsService Events
System & Security LogsPersistence & malware installs.
Deep Tech SpecsDeletion & Cleanup
Evidence removal & anti-forensics traces
Recycle Bin
$Recycle.BinDeleted files metadata & timestamps.
Deep Tech SpecsUSN Journal
$Extend\$UsnJrnlFile create, delete, overwrite actions.
Deep Tech SpecsPrefetch Deletion
C:\Windows\PrefetchExecution traces even after file removal.
Deep Tech SpecsEvent Log Clearing
Security.evtxManual log deletion & tampering.
Deep Tech SpecsNetwork & Location
Physical presence & network association
NetworkList
SOFTWARE\...\NetworkListSSID, gateway MAC, VPNs.
Deep Tech SpecsWLAN AutoConfig
WLAN-AutoConfig.evtxWireless connection timeline.
Deep Tech SpecsSRUM
SRUDB.datLong-term app & network usage.
Deep Tech SpecsDFIR Methodology
Structured investigation approach
Triage
Scope, volatility & evidence prioritization.
Deep Tech SpecsTimeline Analysis
Correlating multi-source artifacts.
Deep Tech SpecsArtifact Correlation
Cross-validating evidence.
Deep Tech SpecsReporting
Clear, defensible forensic conclusions.
Deep Tech Specs