4N6Post Artifacts on 4n6Post

Registry - SAM

2025-10-14

SAM Database - Windows Security Account Manager

Security Account Manager (SAM) database in short, is the critical components of Windows security architecture. It stores user account information, password hashes for local accounts, groups associations, and security policies for local accounts on Windows systems. When considering user accounts, the SAM database provides evidence about user accounts, authentication attempts, and insight on user activity and potential security compromises. Understanding how to properly extract, analyze, and interpret SAM data is essential for any serious Windows forensic investigation.

MACB Timestamp Reference

2024-12-16

MACB Forensic Timestamp Reference

I put together a nice little post here detailing the behavior of MACB timestamps (Modified, Accessed, Changed, Birth) across various filesystems and common file operations. This is a great reference for digital forensics practitioners conducting timeline analysis. I focused on Windows NTFS, FAT32/exFAT, Linux ext4/XFS, and macOS APFS since these are the most common filesystems encountered in investigations for 2025.

MRU (Most Recently Used)

2024-10-02

The MRU (Most Recently Used) registry is a database in Microsoft Windows that stores information about recently opened files, URLs, and other items. This information can be used for a variety of purposes, both benign and malicious. This is NOT the same as runMRU.

Normal Use Case

The MRU registry is commonly used by applications to keep track of recently opened files and other items. For example, a word processor might use the MRU registry to keep a list of the last ten documents a user has worked on. This information can be useful for the user, allowing them to quickly access the documents they have been working on.

Amcache.hve

2024-10-01

Amcache.hve is a forensic artifact that can be used to uncover valuable information about a computer system, both in normal and malicious use cases. The Amcache.hve file is a hive file that is located in the Windows operating system, and it provides a wealth of information about the software and files that have been executed on the system.

In normal use cases, the Amcache.hve file can be used to track software installations and updates, as well as to determine which files were recently executed on the system. This information can be useful for system administrators and other IT professionals who need to manage and maintain their computer systems.

ShellBags Registry

2024-01-02

Understanding ShellBags in the Windows Registry: A Deep Dive

As my other posts likely portrais. The Windows operating system is a treasure of love and trove-like of forensic evidence. Along with the various artifacts, ShellBags stand out for their ability to provide valuable timeline and insights into a user’s general activity. Whether used for legitimate investigations or malicious purposes, understanding ShellBags is crucial for anyone dealing with digital forensics and even cybersecurity defenses like EDR.

KAPE to SOF-ELK

2024-01-01

Resources and Help

SOF-ELK from GitHub or VM from FOR572
Kroll - KAPE Direct Download
SOF-ELK KAPE Support
YouTube Video Guide by SystemForensics

SOF-ELK Introduction

SOF-ELK, coupled with the powerful capabilities of the KAPE (Kroll Artifact Parser and Extractor) software, forms a dynamic duo in the realm of cybersecurity and digital forensics. KAPE, developed by Eric Zimmerman, serves as a versatile and efficient tool for acquiring and processing forensic artifacts, including Master File Table (MFT) and Event Log files. By seamlessly integrating KAPE into the SOF-ELK framework, security practitioners gain a comprehensive solution for extracting, parsing, and visualizing critical data. This synergy enhances the efficiency of incident response and forensic investigations by allowing analysts to harness the rich insights embedded within MFT and Event Log artifacts. Together, SOF-ELK and KAPE create a robust environment that empowers organizations to navigate the complex landscape of security data, enabling proactive threat detection and bolstering the overall resilience of their digital infrastructure.

Registry- SYSTEM Select

2024-01-01

Windows Registry SYSTEM Select Key Analysis

The Windows Registry is a hierarchical database that stores configuration information for the operating system, applications, and hardware devices. One of the key branches in the registry is SYSTEM\Select, which contains information about the system’s hardware configuration and boot options.

The SYSTEM\Select subkeys and objects are as follows:

Not all objects exist if they are not referred to, set or used in older versions.

Registry- Start, Shutdown, and Reboot

2023-10-01

Windows Registry: System Start, Shutdown, and Reboot Tracking

The Windows registry is a hierarchical database that stores configuration settings for Windows operating systems, including Windows 10, Windows 8, and Windows 7. The registry is organized into five main components, namely HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG. Each of these components contains subkeys that store configuration data, including the data and time for when a computer turns on, shuts down, and restarts.

ShimCache

2023-10-01

ShimCache - Windows Application Compatibility Cache for Digital Forensics

Shimcache is a Windows artifact that stores information about programs that have been executed on a Windows machine. The Shimcache can be used for both benign and malicious purposes, making it a useful tool for system administrators, digital forensics analysts, and attackers.

You should keep in mind that ShimCache and AMCache are very similar and depending on the version of Windows you are looking into, the AMCache might be more valuable to focus on. The ShimCache is in the registry where AmCache is a file on disk. So keep this in mind if you continue reading and notice similarities or relevance to it.

Windows Install Date & Time

2023-01-15

The Windows registry is a central repository of configuration data for the Windows operating system and its applications. One important aspect of the registry is the section involving the Windows install time. This information can be used in a variety of ways, both for normal system usage and for malicious purposes.

Finding the InstallDate/InstallTime Registry

To find the registry section involving the Windows install time and timezone, you can navigate to the following location in the file system:

Ad Disabling Tailored Experience

2023-01-01

Customizing Windows: Ad Disabling and Tailored Experience

In the realm of Windows customization, users often seek ways to tailor their experience to suit personal preferences. This blog post explores a specific aspect of this customization - the modification of registry keys to disable ads in Windows and control tailored experiences.

Disabling Ads in Windows

What is it About?

Windows often displays ads and promotes certain apps to users. However, not everyone appreciates this feature. To gain more control over your Windows experience, you can disable specific apps’ promotional activities using Registry Keys.

Enable Windows BSOD Detail

2023-01-01

Introduction

By default, Windows displays a simple emoticon (smiley face) when a Blue Screen of Death (BSOD) occurs. However, if you prefer to see detailed information about the error, you can modify specific registry entries. This guide will walk you through the process.

Disabling Ads in Windows

What is it About?

File and Folder Opening - Link Files (LNK)

2023-01-01

Windows users are likely familiar with .lnk files, also known as LNK Link files. These files are shortcuts that point to another file or folder on the computer, allowing users to quickly access their desired content. While LNK files are a convenient feature in Windows, they can also be exploited by malicious actors. In this post, we’ll explore LNK files, their normal use cases, and how they can be exploited by cybercriminals.

JumpList Forensics

2023-01-01

JumpList Forensics

JumpList is a feature of Microsoft Windows operating systems that allows users to quickly access frequently used files, folders, and applications. This feature can be accessed by right-clicking on the taskbar icon or start menu tile of the target application. The JumpList registry holds the information that is displayed in the JumpList. This can be found multiple ways via Explorer File paths as well as within the registry itself.

MFT

2023-01-01

MFT Analysis - Master File Table Forensics Guide

The $MFT, or Master File Table, plays a crucial role in the NTFS (New Technology File System) utilized by Windows operating systems. Essentially acting as a master index for all files and directories on an NTFS volume, understanding the nuances of the $MFT file is vital for various professionals, including forensic investigators, system administrators, and security experts. In this blog post, we’ll thoroughly explore the $MFT file, examining its structure, functions, and its applications in both normal and potentially malicious scenarios. Additionally, we’ll touch upon tools such as MFTECmd.exe by Eric Zimmerman and MACTIME in Linux, highlighting how these tools can be utilized in forensic analysis to parse the $MFT.

Prefetch

2023-01-01

Windows Prefetch Analysis - Digital Forensics Execution Tracking

Windows Prefetch is a feature in the Windows operating system that was first introduced in Windows XP. It is a built-in tool that helps to speed up the loading of applications and other system processes by analyzing which files and libraries are most frequently used and then pre-loading them into memory. In this blog post, we will explore what Windows Prefetch is, how it works, and provide examples of both normal and malicious use cases.

Recycling.Bin / Recycler

2023-01-01

The Recycling Bin is a well-known feature in Windows operating systems that acts as a temporary storage location for deleted files. However, what many users may not know is that the Recycling Bin is also a valuable forensic artifact that can provide valuable information in both normal and malicious use cases. In this blog post, we will explore the Recycling Bin and its role as a forensic artifact, including the connection between the “$I” and “$R” values created in the Master File Table (MFT), the normal and malicious use cases of the Recycling Bin, and how to permanently delete files to skip the Recycling Bin, as well as how to set the Recycling Bin in the registry.

Registry- RunMRU

2023-01-01

Understanding the RunMRU Registry: Security Implications and Forensic Value

The RunMRU (Most Recently Used) registry is a key component of the Microsoft Windows operating system, storing information about the most recently executed applications and documents. This information is used to populate the “Recent Items” list in the Start menu, as well as for application compatibility purposes.

While the RunMRU registry serves a useful purpose for end users, it also presents a potential security risk if not properly managed. In this blog post, we will discuss the normal use case for the RunMRU registry, as well as several examples of malicious use of the RunMRU registry. We will also provide links to additional resources for further study, including a white paper on the RunMRU registry and a SANS poster with proof of execution.

Registry- UserAssist

2023-01-01

UserAssist Registry Analysis - Windows Program Execution Tracking

UserAssist is a feature of the Windows operating system that keeps track of the programs that are launched on a user’s profile. This information is stored in the registry, a database that contains configuration settings for the operating system and other software. In this blog post, we’ll explore what UserAssist is, its normal use cases, and how it can be abused by malicious actors.

SysInternals Tools Registry Forensics

2023-01-01

SysInternals Tools - Registry Forensics and Analysis

What is SysInternals?

SysInternals is a suite of advanced system utilities for Microsoft Windows that provides deep technical insight into the operating system. These tools are designed to help IT professionals, system administrators, and software developers manage, troubleshoot, and diagnose Windows systems effectively. From process management to network monitoring, SysInternals offers a wide range of utilities that enhance system performance, security, and reliability.

TimeZone Information

2023-01-01

The Windows registry is a critical component of the Windows operating system. It stores important configuration data and settings that help the operating system function properly. One of the registry keys that play an important role in the functioning of the system is the TimeZoneInformation registry key. In this blog post, we’ll delve into the registry TimeZoneInformation, its connection with the Dynamic Link Library (DLL) it uses, and how it is used in both normal and malicious scenarios.

TypedPath Registry

2023-01-01

Registry Section of TypedPath: Understanding Its Importance in Digital Forensics

The registry is an important aspect of a computer’s operating system, as it stores information about the configuration, settings, and installed software. In digital forensics, the registry can provide valuable information to investigators, as it can reveal data about software execution and system changes. The registry section of TypedPath is a digital forensics tool that can be used to extract information from the registry of a computer.

Windows Border Size Modification

2023-01-01

Exploring Windows Border Size Modification

Welcome to our exploration of a subtle yet impactful customization in the Windows operating system. Today, we’ll delve into the world of Windows Border size modification and how a few Registry Keys can unlock a realm of personalization.

Understanding Windows Border Customization

Windows border size modification allows users to adjust the thickness of window borders in the Windows interface. This customization affects the visual appearance of application windows and can impact both usability and accessibility.

Windows Generic Installation Keys

2023-01-01

SOURCE:

https://www.windowsafg.com/keys.html

This is just a copy of the data from the source windowafg. I make a copy so that others can find it.

Generic Installation Keys

All of the examples provided are installation keys only; they will not activate your installed version of Windows. They are the default keys that are inserted if you choose to skip entering a Product Key during the installation process.

The product keys listed in this section can be used with any of the answer files and scripted examples. They are blocked at the Microsoft clearinghouse and therefore cannot be used to activate any systems. They provide a number of days for you to complete the activation process. The keys supplied are not architecture dependent.

Windows USB Connection Analysis

2023-01-01

USB connections are a commonly used method for transferring data between computers and other electronic devices. In Windows, the use of USB connections can affect the registry in several ways, including within the registry are the USB, USBSTOR and MountPoints keys. In this post, we’ll explore the connection between USB Mountpoints and the setupapi.dev.log, and provide examples of both normal and malicious use cases.

USB Forensics Overview

USB device forensics involves analyzing multiple Windows artifacts to track USB device usage, including:

WMI Filter Query Consumer

2023-01-01

Windows Management Instrumentation (WMI) is a Microsoft technology that provides a unified way of managing Windows operating systems and applications. WMI is a management infrastructure that is built into Windows operating systems, and it provides a standardized interface for accessing system management information. WMI is used by system administrators to gather information about the state of their systems, to automate system management tasks, and to perform remote administration. In this blog post, we will take a closer look at what WMI is, how it works, and some examples of its normal and malicious use cases.

WordWheelQuery

2023-01-01

The Registry Section of WordWheelQuery: An Overview for Digital Forensic Investigators

The WordWheelQuery registry section is a critical component for digital forensic investigations, as it contains information about the user’s search queries made using the Windows operating system. In this blog post, we’ll take a closer look at what exactly can be found in the WordWheelQuery registry section and its significance for both normal and malicious use cases.