Digital Forensics Cheatsheet

1. Disk Forensics (KAPE Triage Image)

Artifact	Location	Investigation Tool
System Registry Hive	C:\Windows\System32\config\SYSTEM	Registry Explorer
Software Registry Hive	C:\Windows\System32\config\SOFTWARE	Registry Explorer
SAM Registry Hive	C:\Windows\System32\config\SAM	Registry Explorer
User Registry Hive	C:\Users\<USER>\NTUSER.dat	Registry Explorer
User Classes Registry Hive	C:\Users\<user>\Local Settings\Application Data:\Microsoft\Windows\UsrClass.dat	Registry Explorer
Amcache Hive	C:\Windows\appcompat\Programs\Amcache.hve	Registry Explorer
Security Event Log	C:\Windows\winevt\Logs\Security.evtx	Event Logs Explorer / Event Viewer
System Event Log	C:\Windows\winevt\Logs\SYSTEM.evtx	Event Logs Explorer / Event Viewer
Application Event Log	C:\Windows\winevt\Logs\Application.evtx	Event Logs Explorer / Event Viewer
Task Scheduler Event Log	Microsoft-Windows-TaskScheduler%4Operational.evtx	Event Logs Explorer / Event Viewer

2. System Information

Information	Registry Location	Tool
Windows Version	SOFTWARE\Microsoft\Windows NT\CurrentVersion	Registry Explorer
Computer Name	SYSTEM\ControlSet001\Control\ComputerName\ComputerName	Registry Explorer
Time Zone	SYSTEM\ControlSet001\Control\TimeZoneInformation	Registry Explorer

3. Network Information

Information	Registry Location	Tool
Network Cards	SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards	Registry Explorer
TCP/IP Configuration	SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces	Registry Explorer

4. User Information

Information	Source	Tool
User Accounts	SAM Hive	Registry Explorer
Logon Events	Security.evtx (Event IDs: 4624, 4625, 4634, 4647, 4672, 4720, 4726)	EventLog Explorer

5. File Activities

Artifact	Description	Tool
$MFT, $LogFile, $UsnJrnl:$J	NTFS File System Metadata	NTFS Log Tracker - Timeline explorer
$I30	Directory Index	INDXRipper
Security.evtx	File Access Events (Event IDs: 4656, 4660, 4663, 4658)	Event Log Explorer
NTUSER.dat	User Registry (Recent Files, RunMRU, TypedPaths)	Registry Explorer
Shellbags	Folder Access History	Shellbags Explorer
LNK Files	Shortcut Files	LECmd
JumpLists	Recent File/Application Access	JumpLists Explorer

6. Connected Devices (USBs)

Information	Registry Location	Tool
USB Devices	SYSTEM\ControlSet001\Enum\USB, USBSTOR	Registry Explorer
Portable Devices	SYSTEM\ControlSet001\Enum\SWD\WPDBUSENUM	Registry Explorer
Device Classes	SYSTEM\ControlSet001\Control\DeviceClasses	Registry Explorer
Mounted Devices	SYSTEM\MountedDevices	Registry Explorer
Portable Devices	SOFTWARE\Microsoft\Windows Portable\Devices\Devices	Registry Explorer
Volume Info Cache	SOFTWARE\Microsoft\Windows Search\VolumeInfoCache	Registry Explorer

7. Execution Activities

Artifact	Description	Tool
Event Logs	Service Installation and Status (Event IDs: 4697, 7034, 7035, 7036)	Event Log Explorer
Run Keys	Autorun Locations in Registry	Registry Explorer
AppCompatCache	Application Execution History	ShimCache Parser
Amcache.hve	Application Execution History	Amcache Parser

8. Memory Forensics

Task	Plugin	Command Line
Identifying OS Version	imageinfo	Python vol.py -f <memdump> imageinfo
Analyzing KDBG Signatures	kdbgscan	Python vol.py -f <memdump> kdgbscan
Processes List	pslist	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> pslist
Parent/Child Process Relation	pstree	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> pstree
Hidden Processes	psxview	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> psxview
Examining Process Details	psinfo	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> psinfo -o <processs physical location>
Process Privilege	getsides	python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> getsids -o <process physical location>
Network Connections	netscan	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> netscan
Registry Keys/Values	printkey	Python vol.py -f <memdump> --profile=<profile> -g <kdbg addr> printkey -K <key_path>