GithubLinkedin

Windows Disk

SRUM Database

The Windows System Resource Usage Monitor (SRUM) is a tool designed to track system resource usage comprehensively. It records details such as application resource consumption, energy usage, network connectivity, data usage, and Windows push notifications.

The SRUM database maintains a log of program executions, power consumption patterns, network activities, and various other system interactions, offering a valuable resource for retrieving information even if the original source data has been deleted.

🔒 Location: C:\Windows\System32\SRU\SRUDB.dat

Category

  • SRUM Application Resource Usage (Most value)

  • SRUM Network Usage (Most value)

  • SRUM Network Connections

  • SRUM Energy Usage

  • SRUM Push Notification Data

  • SRUM Energy Usage (Long Term)

Tool

SRUMEcmd

Timeline Explorer

Jumplists

The Jump Lists feature offers users convenient access to recently opened files and commonly used tasks for specific applications. This artifact captures information on recent user activity, including accessed files, applications, browser URLs, documents, PDFs, ZIP files, system settings, and more.

  • Automatic destinations

    • C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

  • Custom destinations

    • C:\%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Recycle Bin

The recycle bin serves as a temporary storage location for items deleted by the user.

🔒 Location: C:$Recycle.Bin{SID}$I######

$I files store metadata, including the file path, size, and deletion timestamp. Each $I file is paired with a $R file, which holds the actual content of the deleted file, as long as the item has not been permanently removed.

Tool

RBcmd

Timeline Explorer

Search Index

The Windows Search service functions as an internal dictionary, operating in the background to collect and index the system's content. The service "provides content indexing, property caching, and search results for files, e-mail, and other content".

When a user searches for a document, image, or any other file type, the query is directed to the Windows Search Index database, rather than performing a real-time search on the system.

🔒 Location : C:\%USERPROFILE%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Tool

SIDR

Timeline Explorer

Our primary focus is on the File_Report and Internet_History_Report data.

RDP Cache

When a user connects to another system via RDP, small bitmap images are stored in their RDP profile files. This allows the system to quickly fetch or retrieve these images for reuse during the session.

🔒 Location:

C:\Users\<username>\AppData\Local\Microsoft\Terminal Server Client\Cache

In RDP lateral movement investigations, RDP bitmap cache files are key evidence.

Tool

bmc-tools

RdpCacheStitcher

Thumbnail Cache

ThumbCache is a feature that stores thumbnail images of files for Windows Explorer's thumbnail view. These images, representing the contents of files, are stored in a centralized Thumbnail Cache file.

Microsoft Windows stores thumbnails for various file types, including JPEG, BMP, GIF, PNG, TIFF, AVI, PDF, PPTX, DOCX, HTML, MP4, and more.

🔒 Location: C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer

These files are named Thumcache_xxx.db and iconcache_xxxx.db, where "xxx" represents the bits, pixel, or resolution value.

Tool

ThumbCache Viewer

MFT ($MFT)

The Master File Table (MFT) records nearly all disk activity on NTFS systems, storing metadata like file paths, extensions, timestamps, and information on deleted files. It also captures the source of downloaded files via the Zone.Identifier stream, aiding in the detection of malicious URLs and the creation of Indicators of Compromise (IOCs).

Files smaller than 1KB may be stored directly in the MFT as resident files, making content recovery possible even without the original file.

Tool

MFTExplorer

MFTECmd

USN Journal ($J)

The USN Journal provides detailed tracking of file system changes such as creation, deletion, renaming, moving, and archiving while logging each action with precise timestamps.

Tool

MFTECmd

Timeline Explorer

LNK Files

LNK files are Windows shortcut files automatically created when a user opens a file or installs software. They record when and from where a file was accessed or executed.

They can be leveraged by attackers for initial access, persistence, and defense evasion

🔒 Location: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent

Tool

LECmd

Timeline Explorer

Prefetch Files

Prefetch is a Windows feature that improves application launch times by storing data about previously executed programs. It records how many times a program was run, the timestamps of its last eight executions, and the files or objects it interacted with.

🔒 Location: C:\Windows\Prefetch

Tool

PECmd

Timeline Explorer

Windows Notification DB

Windows notifications provide real-time alerts for emails, app updates, security warnings, reminders, and more. They can reveal the notification content, the time it was received, its expiration time, and other metadata, offering valuable insight into user activity and system events.

🔒 Location: C:\Users\%USER%\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

Tool

DB Browser for SQLite

This knowledge has been compiled from resources provided by LetsDefend.

PreviousUSB ForensicNextNote

Last updated

Was this helpful?