Update forensic-artifacts-applications.md

Baniur · May 1, 2024 · 09a6f30 · 09a6f30
1 parent 3dd63ac
commit 09a6f30
Showing 1 changed file with 37 additions and 1 deletion.
diff --git a/Forensic-artifacts/forensic-artifacts-applications.md b/Forensic-artifacts/forensic-artifacts-applications.md
@@ -5,16 +5,22 @@
 <li>Google Chrome</li>
 <li>Microsoft Edge (Chromium)</li>
 <li>Mozilla Firefox</li>
-<li><a href="#notepad-plus-plus">Notepad++</a></li>  
+<li><a href="#notepad-plus-plus">Notepad++</a></li>
+<li><a href="#remote-desktop">Remote Desktop</a></li>
 <li><a href="#stickynotes">Sticky Notes</a></li>
 <li><a href="#sublime-text">Sublime Text</a></li>
 <li><a href="#teamviewer">TeamViewer</a></li>
 <li><a href="#microsoft-windows-10-11-notifications">Microsoft Windows 10/11 Notifications</a></li>
+<li><a href="#microsoft-windows-defender">Microsoft (Windows) Defender</a></li>
 </ul>
 
 <h2 id="anydesk">AnyDesk</h2>
 
+<ul>
 <li>%systemdrive%\Users\USER\AppData\Roaming\AnyDesk\ad.trace</li>
+</ul>
+
+How to open: <strong>text editor</strong>
 
 <h2 id="notepad-plus-plus">Notepad++</h2>
 
@@ -23,6 +29,17 @@
 <li>%systemdrive%\Users\USER\AppData\Roaming\Notepad++\backup</li>
 </ul>
 
+How to open: <strong>text editor</strong>
+
+<h2 id="remote-desktop">Remote Desktop</h2>
+
+<ul>
+<li>%systemdrive%\Users\USER\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache*.bmc</li>
+<li>%systemdrive%\Users\USER\AppData\Local\Microsoft\Terminal Server Client\Cache\cache????.bin</li>
+</ul>
+
+How to open: <strong>bmc-tools</strong> and <strong>RdpCacheStitcher</strong>
+
 <h2 id="stickynotes">Sticky Notes</h2>
 
 <ul>
@@ -35,6 +52,8 @@
 <li>%systemdrive%\Users\USER\AppData\Roaming\Sublime Text 3\Local\Session.sublime_session</li>
 </ul>
 
+How to open: <strong>text editor</strong>
+
 <h2 id="teamviewer">TeamViewer</h2>
 
 <ul>
@@ -45,8 +64,25 @@
 <li>%systemdrive%\Program Files (x86)\TeamViewer\TeamViewerXX_Logfile.log (XX - version)</li>
 </ul>
 
+How to open: <strong>text editor</strong>
+
 <h2 id="microsoft-windows-10-11-notifications">Microsoft Windows 10/11 Notifications</h2>
 
 <ul>
 <li>%systemdrive%\Users\USER\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db</li>
 </ul>
+
+How to open: <strong>DB Browser for SQLite</strong>, <strong>SQLiteStudio</strong>
+
+<h2 id="microsoft-windows-defender">Microsoft (Windows) Defender</h2>
+
+If the attacker was able to clear *Microsoft Windows Defender* <strong>event logs</strong> then files listed below could still help you:
+
+<ul>
+<li>%systemdrive%\ProgramData\Microsoft\Windows Defender\Support\MPDetection-*.log</li>
+<li>%systemdrive%\ProgramData\Microsoft\Windows Defender\Support\MPDeviceControl-*.log</li>
+<li>%systemdrive%\ProgramData\Microsoft\Windows Defender\Support\MLog-*.log</li>
+<li>%systemdrive%\ProgramData\Microsoft\Windows Defender\Support\MpScanSkip-*.log</li>
+</ul>
+
+How to open: <strong>text editor</strong>