Windows Disk
SRUM Database
The Windows System Resource Usage Monitor (SRUM) is a tool designed to track system resource usage comprehensively. It records details such as application resource consumption, energy usage, network connectivity, data usage, and Windows push notifications.
The SRUM database maintains a log of program executions, power consumption patterns, network activities, and various other system interactions, offering a valuable resource for retrieving information even if the original source data has been deleted.
π Location: C:\Windows\System32\SRU\SRUDB.dat
Category
SRUM Application Resource Usage (Most value)
SRUM Network Usage (Most value)
SRUM Network Connections
SRUM Energy Usage
SRUM Push Notification Data
SRUM Energy Usage (Long Term)
Jumplists
The Jump Lists feature offers users convenient access to recently opened files and commonly used tasks for specific applications. This artifact captures information on recent user activity, including accessed files, applications, browser URLs, documents, PDFs, ZIP files, system settings, and more.
Automatic destinations
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Custom destinations
C:\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Recycle Bin
The recycle bin serves as a temporary storage location for items deleted by the user.
π Location: C:$Recycle.Bin{SID}$I######
$I files store metadata, including the file path, size, and deletion timestamp. Each $I file is paired with a $R file, which holds the actual content of the deleted file, as long as the item has not been permanently removed.
Search Index
The Windows Search service functions as an internal dictionary, operating in the background to collect and index the system's content. The service "provides content indexing, property caching, and search results for files, e-mail, and other content".
When a user searches for a document, image, or any other file type, the query is directed to the Windows Search Index database, rather than performing a real-time search on the system.
π Location : C:\%USERPROFILE%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
Our primary focus is on the File_Report and Internet_History_Report data.
RDP Cache
When a user connects to another system via RDP, small bitmap images are stored in their RDP profile files. This allows the system to quickly fetch or retrieve these images for reuse during the session.
π Location:
C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache
In RDP lateral movement investigations, RDP bitmap cache files are key evidence.
Thumbnail Cache
ThumbCache is a feature that stores thumbnail images of files for Windows Explorer's thumbnail view. These images, representing the contents of files, are stored in a centralized Thumbnail Cache file.
Microsoft Windows stores thumbnails for various file types, including JPEG, BMP, GIF, PNG, TIFF, AVI, PDF, PPTX, DOCX, HTML, MP4, and more.
π Location: C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer
These files are named Thumcache_xxx.db and iconcache_xxxx.db, where "xxx" represents the bits, pixel, or resolution value.
MFT ($MFT)
The Master File Table (MFT) records nearly all disk activity on NTFS systems, storing metadata like file paths, extensions, timestamps, and information on deleted files. It also captures the source of downloaded files via the Zone.Identifier stream, aiding in the detection of malicious URLs and the creation of Indicators of Compromise (IOCs).
Files smaller than 1KB may be stored directly in the MFT as resident files, making content recovery possible even without the original file.
USN Journal ($J)
The USN Journal provides detailed tracking of file system changes such as creation, deletion, renaming, moving, and archiving while logging each action with precise timestamps.
LNK Files
LNK files are Windows shortcut files automatically created when a user opens a file or installs software. They record when and from where a file was accessed or executed.
They can be leveraged by attackers for initial access, persistence, and defense evasion
π Location: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent
Prefetch Files
Prefetch is a Windows feature that improves application launch times by storing data about previously executed programs. It records how many times a program was run, the timestamps of its last eight executions, and the files or objects it interacted with.
π Location: C:\Windows\Prefetch
Windows Notification DB
Windows notifications provide real-time alerts for emails, app updates, security warnings, reminders, and more. They can reveal the notification content, the time it was received, its expiration time, and other metadata, offering valuable insight into user activity and system events.
π Location: C:\Users\%USER%\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
This knowledge has been compiled from resources provided by LetsDefend.
Last updated