diff --git a/README.md b/README.md index da070ac..6ad35c0 100644 --- a/README.md +++ b/README.md @@ -2,39 +2,55 @@ > Advanced Windows Registry forensics reference and search engine -RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis. - -# Features - -- Extensive collection of Windows Registry forensics artifacts -- Multi-criteria search with filters for category, criticality, investigation type, and more -- Filter by Windows version, registry hive, criticality level, and analysis tools -- Each artifact includes forensic value, data structure, examples, and analysis tools -- Artifacts tagged by investigation scenarios (malware analysis, data exfiltration, etc.) - -# Categories - -- **Execution**: Program execution tracking and artifacts -- **Network**: Network connections, shares, and communication -- **Persistence**: Autostart locations and persistence mechanisms -- **User Activity**: User behavior and document access patterns -- **System**: System configuration and installed software -- **USB/Storage**: USB device history and storage artifacts -- **Security**: Security settings and access controls -- **Browser**: Web browser artifacts and configurations -- **Malware**: Malware-specific registry artifacts -- **Communication**: Messaging and communication applications - -# Advanced Search - -- **Category**: Filter by artifact category -- **Criticality**: High/Medium/Low priority filtering -- **Investigation Type**: Filter by investigation scenario -- **Windows Version**: Version-specific artifacts -- **Registry Hive**: HKLM, HKCU, HKCR, etc. -- **Analysis Tools**: Artifacts with or without tools - -# Quick Start +## What is RegSeek? + +RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis including: + +- **Forensic limitations** and what artifacts **cannot prove** +- **Correlation requirements** for definitive conclusions +- **Analysis tools** and investigation techniques +- **Real-world examples** and data structures +- **Windows version compatibility** + +## Artifact Categories + +| Category | Count | Key Use Cases | +|----------|-------|---------------| +| **Program Execution** | 15+ | Application usage, malware execution tracking | +| **Browser Activity** | 8+ | Web browsing history, security zone configurations | +| **User Behavior** | 20+ | Application usage patterns, cloud storage sync | +| **File Operations** | 12+ | Recent documents, file associations, jump lists | +| **External Storage** | 5+ | USB device history, removable media tracking | +| **Persistence Methods** | 10+ | Autostart locations, service configurations | +| **System Modifications** | 15+ | Windows settings, security configurations | +| **Network Infrastructure** | 12+ | Network connections, DNS configurations | +| **Remote Access** | 8+ | RDP settings, VPN configurations | +| **Security Monitoring** | 10+ | Windows Defender, audit configurations | +| **Communication Apps** | 7+ | Teams, Discord, email client settings | +| **Virtualization** | 6+ | VMware, VirtualBox, container settings | +| **Authentication** | 4+ | Credential providers, account information | + +## Key Features + +### **Advanced Search & Filtering** +- Full-text search across artifact titles, descriptions, and registry paths +- Filter by category, criticality level, Windows version, and registry hive +- Investigation type filtering (incident response, malware analysis, etc.) + +### **Forensic Intelligence** +- **Limitations warnings**: What each artifact CANNOT prove +- **Correlation requirements**: Additional artifacts needed for conclusions +- **Criticality levels**: High/Medium/Low priority classifications +- **Tool recommendations**: Specific analysis tools for each artifact + +### **Investigation-Focused** +- Organized by forensic investigation types +- Real-world examples and data structures +- Windows version compatibility information +- Direct links to analysis tools and references + + +## Quick Start ### Using the Web Interface @@ -74,10 +90,17 @@ Visit the deployed site: [https://regseek.github.io/](https://regseek.github.io/ start site/index.html # Windows ``` -# Contributing +## Contributing + +We welcome contributions from the digital forensics community! See our [Contributing Guidelines](CONTRIBUTING.md) for details on: + +- Adding new registry artifacts +- Improving existing documentation +- Suggesting new features or categories +- Reporting bugs or inaccuracies -We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details. +## License -# License +This project is licensed under GPL-3.0 license - see [LICENSE](LICENSE) file for details. -GPL-3.0 license - see [LICENSE](LICENSE) file for details. +*RegSeek is a comprehensive Windows Registry forensics reference tool designed to assist digital forensics professionals, incident response teams, and cybersecurity analysts in their investigations.* diff --git a/artifacts/_template.yml b/artifacts/_template.yml index 4e314c5..5094d20 100644 --- a/artifacts/_template.yml +++ b/artifacts/_template.yml @@ -2,7 +2,10 @@ # File naming: use_lowercase_with_underscore.yml title: "Artifact Display Name" -category: "execution|network|usb|user-activity|persistence|system|security|cloud|browser|malware|mobile|virtualization|communication" +category: "program-execution|browser-activity|file-operations|user-behavior|external-storage|persistence-methods|system-modifications|network-infrastructure|remote-access|security-monitoring|communication-apps|virtualization|authentication + +# Top 8 categories appear in quick filters: program-execution, browser-activity, file-operations, user-behavior, persistence-methods, system-modifications, network-infrastructure, security-monitoring +# All 13 categories available in advanced search description: "Brief description of what this artifact reveals (focus on forensic value)" @@ -38,6 +41,21 @@ details: - name: "Another Tool" description: "Alternative analysis method" +# CRITICAL: Anti-checklist methodology sections +limitations: + - "Specific things this artifact cannot determine" + - "Common false positives or misinterpretations" + - "What this artifact does NOT prove" + +correlation: + required_for_definitive_conclusions: + - "List other artifacts needed to prove what people assume this one proves" + - "Required evidence for court presentation" + + strengthens_evidence: + - "Artifacts that support but don't prove the same conclusions" + - "Supporting evidence that adds context" + metadata: windows_versions: - "Windows 10" @@ -53,13 +71,25 @@ metadata: criticality: "high|medium|low" - # Investigation types where this is particularly useful + # Investigation types where this is particularly useful (choose multiple from 14 types) investigation_types: - - "malware-analysis" - - "data-exfiltration" - - "insider-threat" - - "incident-response" - - "timeline-analysis" + # Investigation Phases (how you're investigating): + - "incident-response" # Emergency response situations + - "malware-analysis" # Analyzing malicious software + - "timeline-analysis" # Reconstructing sequence of events + - "behavioral-analysis" # Understanding user/system behavior + - "insider-threat" # Internal threat investigations + + # Attack Techniques (what the attacker did): + - "initial-access" # How attackers got in + - "program-execution" # What programs were run + - "persistence-analysis" # How threats maintain presence + - "privilege-escalation" # Elevation of privileges + - "credential-theft" # Credential harvesting/dumping + - "lateral-movement" # Movement across network + - "remote-access" # Remote access tools/methods + - "data-exfiltration" # Data theft and staging + - "anti-forensics" # Evidence destruction/hiding tags: - "specific-keyword" diff --git a/artifacts/security/credential_providers.yml b/artifacts/authentication/credential_providers.yml similarity index 68% rename from artifacts/security/credential_providers.yml rename to artifacts/authentication/credential_providers.yml index 7aecc3c..747fac0 100644 --- a/artifacts/security/credential_providers.yml +++ b/artifacts/authentication/credential_providers.yml @@ -1,5 +1,5 @@ title: "Credential Providers and Authentication Extensions" -category: "security" +category: "authentication" description: "Windows credential provider registration, custom authentication modules, and logon extension configuration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Credential Providers extend Windows authentication infrastructure with custom logon methods, - smart card integration, biometric authentication, multi-factor authentication, and enterprise - single sign-on solutions. Registry manages provider registration, authentication filters, - Pre-Logon Access Provider (PLAP) configuration, and credential enumeration settings for - comprehensive authentication ecosystem management and security enhancement. + Credential Providers extend Windows authentication infrastructure with custom logon methods, + smart card integration, biometric authentication, multi-factor authentication, and enterprise + single sign-on solutions. Registry manages provider registration and authentication filters. forensic_value: | - Critical for detecting unauthorized authentication modifications, malicious credential - harvesting tools, and sophisticated attack techniques targeting authentication infrastructure. - Shows evidence of credential provider abuse for password interception, authentication bypass - attempts, and unauthorized access to authentication systems. Essential for analyzing advanced - persistent threats that target authentication mechanisms and credential theft operations. + Critical for detecting unauthorized authentication modifications, malicious credential harvesting + tools, and sophisticated attack techniques targeting authentication infrastructure. Shows evidence + of credential provider abuse for password interception and authentication bypass attempts. structure: | - Credential Providers registry contains CLSID-based entries referencing COM objects that - implement authentication interfaces. Each provider includes DLL paths, capability flags, - trust levels, and configuration parameters. Provider Filters control authentication flow, - while PLAP Providers manage pre-logon network connectivity for domain authentication scenarios. + Credential Providers registry contains CLSID-based entries referencing COM objects that implement + authentication interfaces. Each provider includes DLL paths, capability flags, trust levels, and + configuration parameters. Provider Filters control authentication flow. examples: - "Credential Providers\\\\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}: Password Credential Provider" @@ -53,6 +48,28 @@ details: - name: "Authentication Provider Scanner" description: "Specialized tools for credential provider security assessment" +limitations: + - "Credential provider registration does NOT prove malicious credential harvesting occurred" + - "Provider installation may be legitimate enterprise authentication enhancement" + - "Custom providers don't indicate successful password interception" + - "Authentication filter modifications may be for legitimate security improvements" + - "Provider capability flags don't prove actual authentication usage" + - "DLL registration doesn't indicate active credential collection" + +correlation: + required_for_definitive_credential_theft_proof: + - "Event logs showing successful authentications using custom providers" + - "Network traffic logs showing credential transmission from compromised system" + - "File system artifacts showing harvested credentials stored on disk" + - "Process execution logs showing malicious provider DLL loading" + - "Memory dumps containing harvested credentials from provider processes" + + strengthens_evidence: + - "Registry changes showing provider installation during suspicious timeframes" + - "File modifications in provider DLL locations with malware signatures" + - "Authentication attempts correlating with custom provider usage" + - "Network connections from processes using custom authentication providers" + metadata: windows_versions: - "Windows Vista" @@ -68,7 +85,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: @@ -77,6 +93,7 @@ metadata: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "credential-theft" tags: - "authentication" @@ -122,5 +139,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/sam_security.yml b/artifacts/authentication/sam_database.yml similarity index 66% rename from artifacts/security/sam_security.yml rename to artifacts/authentication/sam_database.yml index ac35f92..8f4d05f 100644 --- a/artifacts/security/sam_security.yml +++ b/artifacts/authentication/sam_database.yml @@ -1,5 +1,5 @@ title: "SAM Database User Account Information" -category: "security" +category: "authentication" description: "Local user account data including password hashes, logon statistics, and account security metadata" paths: @@ -9,24 +9,19 @@ paths: details: what: | - Security Account Manager (SAM) database stores comprehensive local user account information - including usernames, NTLM password hashes, account policies, logon counts, last logon times, - password change dates, account lockout information, group memberships, and security metadata. - Manages local authentication credentials, account restrictions, and user privilege assignments - for complete local user account security and authentication management. + Security Account Manager (SAM) database stores comprehensive local user account information + including usernames, NTLM password hashes, account policies, logon counts, last logon times, + password change dates, and account lockout information for local authentication management. forensic_value: | - Critical for identifying unauthorized accounts, password attack evidence, account creation - timelines, and authentication patterns during security incidents. Password hashes enable - offline password cracking for credential recovery, privilege escalation analysis, and - unauthorized access investigations. Essential for insider threat investigations, privilege - escalation analysis, and determining account compromise through authentication anomalies. + Critical for identifying unauthorized accounts, password attack evidence, account creation + timelines, and authentication patterns during security incidents. Password hashes enable + offline password cracking for credential recovery and privilege escalation analysis. structure: | - User accounts organized by Relative Identifier (RID) starting from 500 for built-in accounts. - Binary data structures contain NTLM password hashes, account creation timestamps, last logon - times, logon counts, bad password attempts, account flags, and security descriptors. - Names subkey provides RID-to-username mappings for account identification and correlation. + User accounts organized by Relative Identifier (RID) starting from 500 for built-in accounts. + Binary data structures contain NTLM password hashes, account creation timestamps, last logon + times, logon counts, bad password attempts, and account flags. examples: - "RID 500: Built-in Administrator account (Default system administrator)" @@ -53,6 +48,29 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "SAM data does NOT prove successful password cracking occurred" + - "Account creation timestamps don't prove unauthorized account usage" + - "Password hashes may be strong and resistant to cracking attempts" + - "Logon statistics don't indicate the nature or authorization of access" + - "Account metadata doesn't prove actual compromise or malicious activity" + - "Bad password counts may reflect legitimate forgotten password attempts" + + +correlation: + required_for_definitive_compromise_proof: + - "Event logs showing successful logons using compromised accounts" + - "Network traffic logs showing lateral movement using cracked credentials" + - "Process execution logs showing unauthorized commands executed by compromised accounts" + - "File system artifacts showing unauthorized access using compromised credentials" + - "Application logs showing successful authentication using extracted passwords" + + strengthens_evidence: + - "Registry changes showing account modifications during suspicious periods" + - "Event logs showing failed authentication attempts before successful compromise" + - "File modifications in user profile directories during account compromise windows" + - "Network connections from compromised account sessions" + metadata: windows_versions: - "Windows NT" @@ -73,7 +91,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -81,6 +98,7 @@ metadata: - "incident-response" - "timeline-analysis" - "privilege-escalation" + - "credential-theft" tags: - "security" @@ -120,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/user_profiles.yml b/artifacts/authentication/user_account_profiles.yml similarity index 56% rename from artifacts/system/user_profiles.yml rename to artifacts/authentication/user_account_profiles.yml index 89b5f28..0da406a 100644 --- a/artifacts/system/user_profiles.yml +++ b/artifacts/authentication/user_account_profiles.yml @@ -1,6 +1,6 @@ title: "User Accounts and Profile Information" -category: "system" -description: "Complete user account registry data including SIDs, profile paths, account creation timestamps, and user metadata" +category: "authentication" +description: "User account registry data including SIDs, profile paths, account creation timestamps, and user metadata" paths: - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" @@ -10,24 +10,19 @@ paths: details: what: | - Windows stores comprehensive user account information including Security Identifiers (SIDs), - profile directory paths, account creation timestamps, last logon times, account properties, - profile states, and user metadata for all local and domain users who have logged onto the system. - Maintains both active and historical account data for complete user access tracking. + Windows stores user account information including Security Identifiers (SIDs), profile + directory paths, account creation timestamps, last logon times, and account properties. + Maintains both active and historical account data for local and domain users. forensic_value: | - Essential for multi-user system analysis, identifying all accounts that accessed the system, - establishing user access timelines, detecting unauthorized account creation, and correlating - user activities with specific accounts. Critical for insider threat investigations, privilege - escalation analysis, and determining user presence during incident timeframes. Provides - foundational data for linking forensic artifacts to specific user accounts. + Essential for multi-user system analysis and identifying all accounts that accessed + the system. Critical for insider threat investigations, privilege escalation analysis, + and linking forensic artifacts to specific user accounts. structure: | - ProfileList contains user SIDs as subkeys with ProfileImagePath (profile location), State - (profile status), RefCount (usage count), and Flags (profile properties). SAM database - stores account data including creation times, last logon times, login counts, password - change dates, and account flags. Names subkey provides SID-to-username mappings for - account identification and correlation. + ProfileList contains user SIDs as subkeys with ProfileImagePath, State, RefCount, and + Flags. SAM database stores account creation times, last logon times, login counts, and + account flags. Names subkey provides SID-to-username mappings. examples: - "S-1-5-21-1234567890-1234567890-1234567890-1001\\ProfileImagePath: C:\\Users\\Administrator" @@ -38,27 +33,45 @@ details: - "Account Created: 2024-01-15 08:00:00 UTC" - "Last Logon: 2024-01-20 14:30:25 UTC" - "Login Count: 157 (total successful logons)" - - "Names\\Administrator: S-1-5-21-xxx-500 (Built-in Administrator SID)" + - "Names\\Administrator: S-1-5-21-xxx-500" tools: - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - - name: "User Account Control Panel" - description: "Built-in Windows user account management interface" - - name: "SAM Parser" - description: "Specialized tools for analyzing Security Account Manager database" - - name: "ProfileList Parser" - description: "Tools for analyzing user profile registry data" - name: "PsGetSid" url: "https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid" description: "Utility for translating between account names and SIDs" + - name: "SAM Parser" + description: "Specialized tools for analyzing Security Account Manager database" - name: "whoami /all" description: "Built-in command for current user account information" +limitations: + - "Account creation timestamp does NOT prove when account was first used" + - "Last logon time may not reflect actual user activity" + - "Profile path existence doesn't prove user logged in successfully" + - "Login count shows authentication attempts, not successful sessions" + - "Domain accounts may have limited local registry presence" + - "Account metadata doesn't prove user performed specific actions" + - "Profile loading doesn't indicate actual user interaction" + +correlation: + required_for_definitive_user_activity_proof: + - "Security event logs showing actual user logon/logoff events" + - "User-specific registry hive (NTUSER.DAT) with user activity artifacts" + - "Process execution logs showing programs run under specific user context" + - "File system artifacts showing user-created or modified files" + + strengthens_evidence: + - "UserAssist entries showing user-initiated program execution" + - "Recent documents and MRU lists under user profiles" + - "Application usage artifacts specific to user accounts" + - "Network authentication logs confirming user access patterns" + metadata: windows_versions: - - "Windows NT" + - "Windows NT 3.1" - "Windows 2000" - "Windows XP" - "Windows Vista" @@ -76,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -84,7 +96,7 @@ metadata: - "privilege-escalation" - "timeline-analysis" - "lateral-movement" - - "persistence-analysis" + - "behavioral-analysis" tags: - "user-accounts" @@ -97,7 +109,7 @@ metadata: - "profile-paths" references: - - title: "Microsoft Documentation: User Profiles" + - title: "User Profiles" url: "https://docs.microsoft.com/en-us/windows/win32/shell/user-profiles" type: "official" - title: "Windows User Account Forensics" @@ -113,17 +125,16 @@ metadata: volatility: "Profile states update with user sessions, account data generally stable" related_artifacts: - - "sam_security" - - "version_info" - - "computer_name" - "security_policy" + - "logon_events" + - "userassist" + - "recent_docs" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/windows_hello.yml b/artifacts/authentication/windows_hello.yml similarity index 64% rename from artifacts/security/windows_hello.yml rename to artifacts/authentication/windows_hello.yml index 9699a50..a9796a4 100644 --- a/artifacts/security/windows_hello.yml +++ b/artifacts/authentication/windows_hello.yml @@ -1,5 +1,5 @@ title: "Windows Hello Biometric Authentication" -category: "security" +category: "authentication" description: "Windows Hello configuration, biometric enrollment, PIN settings, and passwordless authentication policies" paths: @@ -12,27 +12,21 @@ paths: - "HKLM\\SOFTWARE\\Policies\\Microsoft\\PassportForWork" - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WbioSrvc" - details: what: | - Windows Hello biometric authentication system encompasses fingerprint reader configuration, - facial recognition settings, iris scanning support, PIN complexity requirements, and - enterprise policy enforcement. Controls biometric enrollment processes, authentication - methods, device trust requirements, and passwordless authentication capabilities - for enhanced security and user convenience in modern Windows environments. + Windows Hello biometric authentication system encompasses fingerprint reader configuration, + facial recognition settings, iris scanning support, PIN complexity requirements, and enterprise + policy enforcement. Controls biometric enrollment processes and passwordless authentication capabilities. forensic_value: | - Critical for understanding authentication mechanisms that may affect system access, - reveals biometric enrollment indicating user presence and device usage patterns, - shows enterprise authentication policies, and indicates sophisticated security - configurations. May reveal attempts to bypass biometric authentication or - unauthorized enrollment attempts that could indicate unauthorized physical access. + Critical for understanding authentication mechanisms that may affect system access, reveals + biometric enrollment indicating user presence and device usage patterns, and shows enterprise + authentication policies. May reveal attempts to bypass biometric authentication. structure: | - WinBio configuration includes biometric service settings, enrolled user information, - sensor configuration, and policy enforcement. PassportForWork contains PIN policies, - biometric requirements, and enterprise authentication settings. DeviceLock manages - screen lock behavior, authentication timeouts, and security requirements. + WinBio configuration includes biometric service settings, enrolled user information, sensor + configuration, and policy enforcement. PassportForWork contains PIN policies, biometric + requirements, and enterprise authentication settings. DeviceLock manages screen lock behavior. examples: - "WinBio\\DatabaseConnections: Biometric database configuration" @@ -57,6 +51,28 @@ details: - name: "Biometric Device Manager" description: "Hardware management for biometric sensors and readers" +limitations: + - "Biometric enrollment does NOT prove successful authentication occurred" + - "Hello configuration doesn't indicate actual biometric usage for system access" + - "PIN policy settings don't prove weak PIN credentials are in use" + - "Biometric hardware configuration doesn't indicate authentication bypass attempts" + - "Enrollment records may be from initial setup without indicating ongoing usage" + - "Authentication configuration may be enterprise-mandated rather than user-selected" + +correlation: + required_for_definitive_usage_proof: + - "Event logs showing successful biometric authentication events" + - "Authentication logs confirming Windows Hello logon sessions" + - "Process execution logs showing applications launched after biometric authentication" + - "Registry changes showing biometric service activation during authentication periods" + - "File system access logs showing user activity following biometric authentication" + + strengthens_evidence: + - "Event logs showing multiple biometric authentication attempts" + - "Registry changes in user profile during biometric enrollment periods" + - "File modifications in biometric database during enrollment or authentication" + - "Network activity following successful biometric authentication sessions" + metadata: windows_versions: - "Windows 10" @@ -66,13 +82,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 10" - criticality: "medium" investigation_types: - "incident-response" - "behavioral-analysis" - "insider-threat" + - "timeline-analysis" tags: - "security" @@ -113,5 +129,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/browser/activex_controls.yml b/artifacts/browser-activity/activex_controls.yml similarity index 52% rename from artifacts/browser/activex_controls.yml rename to artifacts/browser-activity/activex_controls.yml index 947729c..8f85a6d 100644 --- a/artifacts/browser/activex_controls.yml +++ b/artifacts/browser-activity/activex_controls.yml @@ -1,6 +1,6 @@ title: "ActiveX Controls and Compatibility Settings" -category: "browser" -description: "Internet Explorer ActiveX control registration, kill bits, compatibility flags, and security settings" +category: "browser-activity" +description: "Internet Explorer ActiveX control registration, kill bits, and security settings" paths: - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility" @@ -10,45 +10,54 @@ paths: details: what: | - ActiveX controls are Component Object Model (COM) objects that provide interactive functionality - in Internet Explorer and other applications. Registry manages control registration, security - settings, kill bits for blocking dangerous controls, compatibility flags, and distribution - unit management. Controls ActiveX behavior, installation permissions, security zones, and - browser integration for enhanced web functionality with comprehensive security management. + ActiveX controls are Component Object Model (COM) objects that provide interactive functionality in Internet Explorer. + Registry manages control registration, security settings, kill bits for blocking dangerous + controls, and compatibility flags. forensic_value: | - Critical for investigating browser-based attacks, malicious ActiveX control installation, - and web-based malware delivery. Shows evidence of dangerous ActiveX controls that were - installed or blocked, reveals attempts to exploit ActiveX vulnerabilities, and indicates - security policy modifications that weaken browser defenses. Essential for analyzing - drive-by downloads, browser exploits, and ActiveX-based persistence mechanisms. + Critical for investigating browser-based attacks and malicious ActiveX installations. + Shows evidence of dangerous controls, exploitation attempts, and security policy + modifications that weaken browser defenses. structure: | - ActiveX Compatibility contains CLSID entries with Compatibility Flags controlling behavior, - kill bits preventing execution of dangerous controls, and version-specific settings. - Distribution Units track downloaded controls with authentication information. Kill bits - stored as REG_DWORD values prevent specific controls from running for security protection. + ActiveX Compatibility contains CLSID entries with Compatibility Flags and kill bits. + Distribution Units track downloaded controls. Kill bits are REG_DWORD values that + prevent specific controls from running. examples: - - "ActiveX Compatibility\\{CLSID}\\Compatibility Flags: 0x00000400 (Kill bit set - control blocked)" - - "ActiveX Compatibility\\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\\Compatibility Flags: 0x00000000 (Windows Media Player control allowed)" - - "Distribution Units\\{D27CDB6E-AE6D-11cf-96B8-444553540000}: Adobe Flash Player control" - - "CLSID\\{CLSID}\\InprocServer32: C:\\malware\\malicious_control.dll (Suspicious ActiveX control)" + - "ActiveX Compatibility\\{CLSID}\\Compatibility Flags: 0x00000400 (Kill bit - blocked)" + - "ActiveX Compatibility\\{6BF52A52-394A-11d3-B153-00C04F79FAA6}: Windows Media Player" + - "Distribution Units\\{D27CDB6E-AE6D-11cf-96B8-444553540000}: Adobe Flash Player" + - "CLSID\\{CLSID}\\InprocServer32: C:\\malware\\malicious_control.dll" - "Kill Bit: Compatibility Flags: 0x00000400 (ActiveX control disabled for security)" - - "CodeBase: http://malicious-site.com/exploit.cab (Dangerous download location)" + - "CodeBase: http://malicious-site.com/exploit.cab" tools: - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer security and ActiveX control configuration" + description: "Built-in IE security and ActiveX configuration" - name: "OLE/COM Object Viewer (oleview.exe)" description: "Microsoft tool for viewing registered COM/ActiveX objects" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "ActiveX Control Scanner" - description: "Third-party tools for identifying and analyzing ActiveX controls" - - name: "Internet Explorer Administration Kit" - description: "Microsoft toolkit for enterprise IE and ActiveX management" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows registered controls only, not actual execution or exploitation" + - "Kill bits show administrative blocking, not attempted attacks" + - "Legitimate software may register ActiveX controls for valid purposes" + - "Controls can be registered but never used by applications" + +correlation: + required_for_definitive_conclusions: + - "Process execution logs showing control loading" + - "Network traffic showing malicious downloads or communication" + - "Browser crash dumps or exploitation evidence" + - "File system artifacts showing malicious control files" + + strengthens_evidence: + - "Timeline analysis of when controls were registered" + - "Browser security zone configurations" + - "Other browser exploitation artifacts" metadata: windows_versions: @@ -65,14 +74,13 @@ metadata: - "Windows 11" introduced: "Internet Explorer 3.0" - criticality: "high" investigation_types: - "malware-analysis" - "incident-response" - - "behavioral-analysis" - - "lateral-movement" + - "initial-access" + - "privilege-escalation" tags: - "activex" @@ -80,9 +88,7 @@ metadata: - "malware-delivery" - "kill-bits" - "browser-exploits" - - "web-security" - "drive-by-downloads" - - "com-objects" references: - title: "Microsoft Documentation: ActiveX Controls" @@ -94,21 +100,16 @@ metadata: - title: "MITRE ATT&CK: Exploitation for Client Execution" url: "https://attack.mitre.org/techniques/T1203/" type: "research" - - title: "ActiveX Security Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" retention: default_location: "Registry hive files (SOFTWARE, CLASSES)" - persistence: "ActiveX settings persist until manually changed or security updates" - volatility: "Control registrations and kill bits affect ongoing browser security posture" + persistence: "ActiveX settings persist until manually changed or updated" + volatility: "Control registrations affect ongoing browser security" related_artifacts: - - "browser_security" + - "browser_helper_objects" - "com_objects" - "internet_settings" - - "security_zones" - - "malware_persistence" author: name: "Tonmoy Jitu" @@ -118,4 +119,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + version: "3.0" diff --git a/artifacts/browser/downloads.yml b/artifacts/browser-activity/browser_downloads_settings.yml similarity index 56% rename from artifacts/browser/downloads.yml rename to artifacts/browser-activity/browser_downloads_settings.yml index 9469d0c..1687bad 100644 --- a/artifacts/browser/downloads.yml +++ b/artifacts/browser-activity/browser_downloads_settings.yml @@ -1,6 +1,6 @@ title: "Browser Download History and Settings" -category: "browser" -description: "Browser download preferences, default locations, security settings, and download management configuration" +category: "browser-activity" +description: "Browser download preferences, default locations, and security settings" paths: - "HKCU\\Software\\Microsoft\\Internet Explorer\\Main" @@ -11,22 +11,18 @@ paths: details: what: | Browser download configuration controls default download locations, security restrictions, - file type handling, automatic download behavior, and download management policies. - Manages download folder settings, security zone restrictions, file execution policies, - and malware protection settings for safe file downloading across web browsers. + file type handling, and automatic download behavior. Manages download folder settings, + security zone restrictions, and malware protection settings. forensic_value: | - Critical for investigating malware delivery mechanisms, unauthorized software downloads, - and data exfiltration through download channels. Shows evidence of download folder - modifications that could facilitate malware execution, reveals download security - bypasses, and indicates attempts to modify browser security to enable dangerous - downloads essential for malware distribution and system compromise. + Critical for investigating malware delivery and unauthorized downloads. Shows evidence + of download folder modifications that could facilitate malware execution, security + bypasses, and attempts to weaken browser defenses for malware distribution. structure: | - Download configuration includes Download Directory (default save location), Security - settings for download zones, file type associations, automatic execution policies, - and download notification preferences. Security restrictions control download behavior - in different zones with policy enforcement for enterprise environments. + Download configuration includes Download Directory (default save location), security + settings for different zones, file type associations, and download notification preferences. + Security restrictions control download behavior with policy enforcement. examples: - "Download Directory: C:\\Users\\user\\Downloads (Standard download location)" @@ -39,14 +35,28 @@ details: tools: - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer download and security configuration" + description: "Built-in IE download and security configuration" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Browser Security Scanner" - description: "Third-party tools for browser security assessment" - - name: "Download History Analyzer" - description: "Tools for analyzing browser download patterns and locations" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows download configuration only, not actual downloaded files" + - "Download directory setting doesn't prove files were downloaded there" + - "Security settings may be overridden by Group Policy" + - "Configuration changes don't indicate when downloads occurred" + +correlation: + required_for_definitive_conclusions: + - "Downloaded files in specified directories" + - "Browser history showing download URLs" + - "File system timestamps matching download activity" + - "Network logs showing file downloads" + + strengthens_evidence: + - "Timeline analysis of configuration changes" + - "User activity showing download folder access" + - "Malware analysis of downloaded files" metadata: windows_versions: @@ -59,40 +69,35 @@ metadata: - "Windows 11" introduced: "Internet Explorer 4.0" - criticality: "high" investigation_types: - "malware-analysis" - - "data-exfiltration" - "incident-response" + - "initial-access" + - "data-exfiltration" + - "behavioral-analysis" tags: - "browser" - "downloads" - "malware-delivery" - "security-settings" - - "file-downloads" - - "download-security" references: - title: "Microsoft Documentation: Internet Explorer Security" url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/" type: "official" - - title: "Browser Download Security Analysis" - url: "https://www.sans.org/white-papers/33896/" - type: "research" retention: default_location: "Registry hive files (NTUSER.DAT, SOFTWARE)" persistence: "Download settings persist until manually changed" - volatility: "Configuration affects ongoing download security and malware protection" + volatility: "Configuration affects ongoing download security" related_artifacts: - "security_zones" - "typed_urls" - "file_associations" - - "security_policy" author: name: "Tonmoy Jitu" @@ -102,4 +107,4 @@ author: contribution: date_added: "2025-06-07" last_updated: "2025-06-07" - version: "1.0" + version: "3.0" diff --git a/artifacts/browser-activity/browser_helper_objects.yml b/artifacts/browser-activity/browser_helper_objects.yml new file mode 100644 index 0000000..a534000 --- /dev/null +++ b/artifacts/browser-activity/browser_helper_objects.yml @@ -0,0 +1,123 @@ +title: "Browser Helper Objects and Internet Explorer Extensions" +category: "browser-activity" +description: "Internet Explorer Browser Helper Objects, toolbar extensions, and browser plugin registrations" + +paths: + - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" + - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" + - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar" + - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions" + +details: + what: | + Browser Helper Objects (BHOs) are DLLs that automatically load with Internet Explorer + to extend functionality. Registry manages BHO registration, toolbar installations, + and browser extension permissions. + + forensic_value: | + Critical for detecting malicious browser extensions and adware. BHOs can intercept + web traffic, steal credentials, inject content, and monitor browsing. Shows evidence + of browser hijacking, malicious toolbars, and unauthorized modifications. + + structure: | + BHO registration uses CLSID identifiers referencing COM objects. Each entry contains + class registration and security settings. Toolbar entries define button configurations + and execution commands. + + examples: + - "BHO\\{CLSID}: Adobe PDF Reader (Legitimate PDF viewer integration)" + - "BHO\\{2670000A-7350-4f3c-8081-5663EE0C6C49}: Windows Live Toolbar" + - "BHO\\{12345678-1234-5678-9abc-123456789abc}: Suspicious Adware BHO" + - "Toolbar\\{GUID}: Search Hijacker Toolbar" + - "Extensions\\{MenuExt-GUID}: Download Manager" + - "NoExplorer: 1 (BHO disabled in Windows Explorer)" + - "CLSID Reference: HKLM\\SOFTWARE\\Classes\\CLSID\\{GUID}\\InprocServer32: malware.dll" + + tools: + - name: "Internet Options (inetcpl.cpl)" + description: "Built-in IE add-on management" + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Advanced registry analysis tool" + - name: "Autoruns" + url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" + description: "Microsoft Sysinternals tool with BHO enumeration" + - name: "BrowserAddonsView" + url: "https://www.nirsoft.net/utils/browser_addons_view.html" + description: "NirSoft browser add-ons viewer" + +limitations: + - "Registry shows installed BHOs only, not actual usage or activity" + - "Legitimate software may use BHOs for valid functionality" + - "BHO presence doesn't prove malicious behavior occurred" + - "Advanced malware may not use traditional BHO registration" + +correlation: + required_for_definitive_conclusions: + - "Network traffic logs showing malicious communication" + - "Browser history showing redirected or injected content" + - "Process execution logs showing BHO DLL loading" + - "File system artifacts showing malicious DLL files" + + strengthens_evidence: + - "Timeline analysis of when BHOs were installed" + - "User activity showing unexpected browser behavior" + - "Other malware persistence mechanisms" + +metadata: + windows_versions: + - "Windows 98" + - "Windows 2000" + - "Windows XP" + - "Windows Vista" + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + + introduced: "Internet Explorer 4.0" + deprecated: "Legacy with IE, modern browsers use different extension models" + criticality: "high" + + investigation_types: + - "malware-analysis" + - "incident-response" + - "data-exfiltration" + - "persistence-analysis" + - "credential-theft" + + tags: + - "browser-extensions" + - "bho" + - "browser-hijacking" + - "adware" + - "malicious-toolbars" + + references: + - title: "Microsoft Documentation: Browser Helper Objects" + url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/bb250436(v=vs.85)" + type: "official" + - title: "Browser Helper Object Malware Analysis" + url: "https://www.sans.org/white-papers/33439/" + type: "research" + + retention: + default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" + persistence: "BHO registrations persist until manually removed" + volatility: "Automatically load with browser sessions" + + related_artifacts: + - "activex_controls" + - "com_objects" + - "internet_settings" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-01-15" + last_updated: "2025-01-15" + version: "3.0" diff --git a/artifacts/browser-activity/chrome_browser.yml b/artifacts/browser-activity/chrome_browser.yml new file mode 100644 index 0000000..688018b --- /dev/null +++ b/artifacts/browser-activity/chrome_browser.yml @@ -0,0 +1,126 @@ +title: "Chrome and Edge Browser Registry Data" +category: "browser-activity" +description: "Chrome and Edge browser preferences, extensions, policies, and configuration stored in registry" + +paths: + - "HKCU\\Software\\Google\\Chrome" + - "HKCU\\Software\\Microsoft\\Edge" + - "HKLM\\SOFTWARE\\Policies\\Google\\Chrome" + - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge" + - "HKCU\\Software\\Chromium" + +details: + what: | + Chrome and Edge store configuration data in the registry including extension information, + security policies, homepage settings, search preferences, and profile configurations. + Enterprise policies control browser behavior and security restrictions. + + forensic_value: | + Shows evidence of malicious extensions, homepage hijacking, policy bypasses, and + browser-based attacks. Critical for detecting browser malware, data exfiltration + through extensions, and unauthorized configuration changes. + + structure: | + Hierarchical registry structure with JSON-formatted values for complex settings, + REG_DWORD for boolean options, and REG_SZ for text preferences. Separate branches + for user preferences and machine-wide policies. + + examples: + - "HomepageLocation: http://malicious-site.com" + - "Extensions\\Installed: [{\"extension_id\": \"malicious_extension\"}]" + - "DefaultSearchProviderSearchURL: http://evil-search.com/search?q={searchTerms}" + - "Policies\\URLBlocklist: [\"*.security-site.com\"]" + - "PreferenceMACs: [integrity verification values]" + - "Profile Path: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" + - "BookmarkBarEnabled: 1 (Bookmark bar visibility)" + + tools: + - name: "Chrome Browser Policy List" + url: "https://chromeenterprise.google/policies/" + description: "Complete Chrome enterprise policy reference" + - name: "ChromeHistoryView" + url: "https://www.nirsoft.net/utils/chrome_history_view.html" + description: "Chrome browsing history viewer" + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Advanced registry analysis tool" + - name: "BrowsingHistoryView" + url: "https://www.nirsoft.net/utils/browsing_history_view.html" + description: "Universal browser history viewer" + +limitations: + - "Registry data shows configuration only, not actual browsing history or file downloads" + - "Extensions listed may be disabled or not actively used" + - "Policy settings don't prove actual enforcement or user compliance" + - "Malicious extensions can hide from registry detection" + +correlation: + required_for_definitive_conclusions: + - "Browser history databases for actual usage evidence" + - "Downloaded files and extension directories" + - "Process execution logs showing browser activity" + - "Network logs showing connections to malicious sites" + + strengthens_evidence: + - "Timeline artifacts showing when changes occurred" + - "User activity showing who made configuration changes" + - "File operations related to extension installations" + +metadata: + windows_versions: + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + - "Windows Server 2012" + - "Windows Server 2016" + - "Windows Server 2019" + - "Windows Server 2022" + + introduced: "Windows XP" + criticality: "high" + + investigation_types: + - "malware-analysis" + - "incident-response" + - "behavioral-analysis" + - "initial-access" + - "data-exfiltration" + - "persistence-analysis" + + tags: + - "browser" + - "chrome" + - "edge" + - "extensions" + - "policies" + - "hijacking" + + references: + - title: "Google Chrome Enterprise Documentation" + url: "https://support.google.com/chrome/a/answer/7532015" + type: "official" + - title: "Microsoft Edge Enterprise Documentation" + url: "https://docs.microsoft.com/en-us/deployedge/" + type: "official" + + retention: + default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" + persistence: "Configuration persists until manually changed or policy update" + volatility: "Changes affect immediate browser behavior" + + related_artifacts: + - "firefox_registry" + - "file_associations" + - "default_applications" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-01-15" + last_updated: "2025-01-15" + version: "3.0" diff --git a/artifacts/browser-activity/firefox_history.yml b/artifacts/browser-activity/firefox_history.yml new file mode 100644 index 0000000..152d87f --- /dev/null +++ b/artifacts/browser-activity/firefox_history.yml @@ -0,0 +1,117 @@ +title: "Firefox Browser Registry Data" +category: "browser-activity" +description: "Firefox installation information, profile locations, browser preferences, and configuration data" + +paths: + - "HKCU\\Software\\Mozilla\\Firefox" + - "HKLM\\SOFTWARE\\Mozilla\\Firefox" + - "HKCU\\Software\\Classes\\FirefoxHTML" + - "HKLM\\SOFTWARE\\Classes\\FirefoxURL" + +details: + what: | + Firefox browser registration and configuration data including installation information, + version details, profile directory locations, default browser settings, and file + association handlers. Manages Firefox integration with Windows shell and protocol handlers. + + forensic_value: | + Essential for Firefox-based investigations including profile location identification, + installation timeline establishment, and browser preference analysis. Shows Firefox + usage patterns and integration with system shell for protocol handling. + + structure: | + Installation information organized under Mozilla\\Firefox including CurrentVersion, + install directory paths, and profile management settings. File associations stored + in Classes registry showing protocol handlers for HTTP, HTTPS, FTP, and custom protocols. + + examples: + - "CurrentVersion: 121.0 (Firefox version information)" + - "Install Directory: C:\\Program Files\\Mozilla Firefox (Installation path)" + - "Profile Path: %APPDATA%\\Mozilla\\Firefox\\Profiles (Profile directory location)" + - "FirefoxHTML\\shell\\open\\command: \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" + - "FirefoxURL\\DefaultIcon: C:\\Program Files\\Mozilla Firefox\\firefox.exe,1" + - "DefaultClientState: 1 (Default browser status)" + - "ProfileManager\\StartWithLastProfile: 1 (Automatic profile loading)" + + tools: + - name: "Firefox Profile Manager" + description: "Firefox built-in profile management utility" + - name: "MozillaHistoryView" + url: "https://www.nirsoft.net/utils/mozilla_history_view.html" + description: "Firefox browsing history viewer" + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows installation and configuration only, not browsing history" + - "Profile path doesn't indicate actual usage or activity" + - "Installation presence doesn't prove Firefox was actively used" + - "Version information shows installed version, not update history" + +correlation: + required_for_definitive_conclusions: + - "Firefox profile databases (places.sqlite, cookies.sqlite)" + - "Browser history files in profile directories" + - "Process execution logs showing Firefox activity" + - "File access logs for profile directories" + + strengthens_evidence: + - "Timeline analysis of installation and profile creation" + - "User activity showing Firefox usage patterns" + - "File operations in Firefox directories" + +metadata: + windows_versions: + - "Windows XP" + - "Windows Vista" + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + + introduced: "Firefox 1.0 (2004)" + criticality: "medium" + + investigation_types: + - "behavioral-analysis" + - "insider-threat" + - "incident-response" + - "timeline-analysis" + + tags: + - "browser" + - "firefox" + - "web-browsing" + - "profiles" + - "file-associations" + - "protocol-handlers" + + references: + - title: "Mozilla Documentation: Firefox Profiles" + url: "https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data" + type: "official" + - title: "Firefox Browser Forensics Guide" + url: "https://www.forensicfocus.com/articles/firefox-browser-forensics/" + type: "research" + + retention: + default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" + persistence: "Firefox configuration persists until uninstallation" + volatility: "Browser settings reflect current installation state" + + related_artifacts: + - "chrome_history" + - "default_applications" + - "file_associations" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-01-15" + last_updated: "2025-01-15" + version: "3.0" diff --git a/artifacts/browser/typed_urls.yml b/artifacts/browser-activity/internet_explorer_typed_urls.yml similarity index 66% rename from artifacts/browser/typed_urls.yml rename to artifacts/browser-activity/internet_explorer_typed_urls.yml index f222d2a..9bf70ed 100644 --- a/artifacts/browser/typed_urls.yml +++ b/artifacts/browser-activity/internet_explorer_typed_urls.yml @@ -1,5 +1,5 @@ title: "Internet Explorer Typed URLs" -category: "browser" +category: "browser-activity" description: "URLs manually typed in Internet Explorer address bar with chronological access tracking" paths: @@ -9,22 +9,19 @@ paths: details: what: | Internet Explorer maintains a record of URLs that users manually type in the address bar - for autocomplete functionality and user convenience. Stores chronological order of manual - URL entry with corresponding timestamps for each typed address. Provides evidence of - intentional website navigation rather than accidental clicks or redirect-based visits. + for autocomplete functionality. Stores chronological order of manual URL entry with + corresponding timestamps for each typed address. forensic_value: | - Extremely valuable for investigating intentional website visits, manual navigation to - suspicious or malicious sites, and user browsing intent analysis. Shows deliberate - attempts to access specific websites, command and control domains manually entered, - unauthorized browsing to restricted sites, and evidence of users actively seeking - specific content or services. Critical for establishing intent in cybercrime investigations. + Extremely valuable for investigating intentional website visits and manual navigation + to suspicious sites. Shows deliberate attempts to access specific websites, command + and control domains manually entered, and evidence of users actively seeking specific + content. Critical for establishing intent in cybercrime investigations. structure: | Sequential value names (url1, url2, url3, etc.) containing full URLs as REG_SZ data. TypedURLsTime contains corresponding binary FILETIME timestamps for each URL entry. - Most recent entries receive higher sequential numbers, maintaining chronological order - of manual URL entry events with precise timing information. + Most recent entries receive higher sequential numbers, maintaining chronological order. examples: - "url1: https://www.google.com (Common search engine access)" @@ -32,24 +29,41 @@ details: - "url3: http://192.168.1.100:8080 (Direct IP address with non-standard port)" - "url4: ftp://internal-server.company.com (Internal FTP server access)" - "url5: https://darkweb-marketplace.onion (Tor hidden service access)" - - "TypedURLsTime: Binary FILETIME timestamps corresponding to each URL" - "url6: https://sensitive-competitor-site.com (Potential corporate espionage)" + - "TypedURLsTime: Binary FILETIME timestamps corresponding to each URL" tools: - name: "IEHistoryView" url: "https://www.nirsoft.net/utils/iehv.html" - description: "Comprehensive Internet Explorer history viewer and analyzer" + description: "Comprehensive Internet Explorer history viewer" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "BrowsingHistoryView" url: "https://www.nirsoft.net/utils/browsing_history_view.html" description: "Universal browser history viewer for multiple browsers" - name: "RegRipper" url: "https://github.com/keydet89/RegRipper3.0" description: "Registry data extraction and analysis framework" - - name: "Internet Explorer Analysis Tools" - description: "Specialized forensic utilities for IE artifact examination" + +limitations: + - "Shows only manually typed URLs, not links clicked or redirects" + - "URLs may be typed for testing or research, not malicious intent" + - "Limited to Internet Explorer usage only" + - "Registry entries can be manually deleted or cleared" + - "Autocomplete may complete URLs from minimal typing" + +correlation: + required_for_definitive_conclusions: + - "Full browser history showing actual visits to typed URLs" + - "Network traffic logs confirming connections to suspicious sites" + - "Downloaded files or malware from manually accessed sites" + - "User activity logs correlating with typed URL timestamps" + + strengthens_evidence: + - "Timeline analysis of manual URL entry patterns" + - "Other browser artifacts showing related activity" + - "File operations or downloads from manually accessed sites" metadata: windows_versions: @@ -64,13 +78,14 @@ metadata: - "Windows 11" introduced: "Internet Explorer 4.0" - criticality: "high" investigation_types: - "timeline-analysis" - "insider-threat" - "incident-response" + - "behavioral-analysis" + - "initial-access" tags: - "browser" @@ -79,7 +94,6 @@ metadata: - "typed-urls" - "suspicious-domains" - "user-intent" - - "web-browsing" references: - title: "Microsoft Documentation: Internet Explorer Registry Settings" @@ -88,20 +102,17 @@ metadata: - title: "Internet Explorer Forensics Guide" url: "https://www.forensicfocus.com/articles/internet-explorer-forensics/" type: "research" - - title: "Browser Artifact Analysis for Digital Forensics" - url: "https://www.sans.org/white-papers/33439/" - type: "research" retention: default_location: "Registry hive files (NTUSER.DAT)" persistence: "Typed URLs persist until manually cleared or registry limit reached" - volatility: "Real-time updates with manual URL entry, immediate evidence of user intent" + volatility: "Real-time updates with manual URL entry" related_artifacts: + - "security_zones" + - "downloads" - "chrome_history" - "firefox_history" - - "browser_security" - - "internet_settings" author: name: "Tonmoy Jitu" @@ -111,4 +122,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" + version: "3.0" diff --git a/artifacts/browser/security_zones.yml b/artifacts/browser-activity/internet_security_zones.yml similarity index 61% rename from artifacts/browser/security_zones.yml rename to artifacts/browser-activity/internet_security_zones.yml index c6e5e63..f1972e7 100644 --- a/artifacts/browser/security_zones.yml +++ b/artifacts/browser-activity/internet_security_zones.yml @@ -1,5 +1,5 @@ title: "Internet Explorer Security Zones and Settings" -category: "browser" +category: "browser-activity" description: "Internet Explorer security zone configuration, trusted sites, restricted sites, and browser security policies" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Internet Explorer security zones framework controls website trust levels, security policies, - ActiveX control permissions, script execution restrictions, and download behaviors based - on website categorization. Manages Internet, Local Intranet, Trusted Sites, and Restricted - Sites zones with granular security settings, custom site assignments, and enterprise - policy enforcement for comprehensive web browsing security management. + Internet Explorer security zones control website trust levels and security policies. + Manages Internet, Local Intranet, Trusted Sites, and Restricted Sites zones with + ActiveX control permissions, script execution restrictions, and download behaviors. forensic_value: | - Critical for investigating browser-based attacks, malicious website interactions, and - security policy bypass attempts. Shows evidence of trusted site modifications that could - facilitate attacks, restricted site configurations that may have been circumvented, - and security zone changes that weaken browser defenses. Essential for analyzing - browser-based malware delivery, social engineering attacks, and policy violations. + Critical for investigating browser-based attacks and security policy bypasses. + Shows evidence of trusted site modifications that facilitate attacks, security + zone changes that weaken defenses, and policy violations. structure: | Security zones numbered 0-4 (My Computer, Local Intranet, Trusted Sites, Internet, Restricted) - with detailed security settings as REG_DWORD values. ZoneMap contains site-to-zone assignments - with domain classifications. Policy enforcement controls enterprise-wide browser security - through Group Policy with inheritance and override mechanisms for centralized management. + with detailed security settings as REG_DWORD values. ZoneMap contains site-to-zone assignments. + Policy enforcement controls enterprise-wide browser security through Group Policy. examples: - "Zones\\1\\1001: 3 (Local Intranet - Prompt for ActiveX download)" @@ -41,16 +36,30 @@ details: tools: - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer security zone configuration interface" - - name: "IEZoneAnalyzer" - description: "Third-party tools for analyzing IE security zone configurations" + description: "Built-in IE security zone configuration interface" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "Group Policy Editor (gpedit.msc)" description: "Enterprise Internet Explorer policy management" - - name: "Browser Security Scanner" - description: "Tools for assessing browser security configuration and vulnerabilities" + +limitations: + - "Configuration shows security settings only, not actual exploitation attempts" + - "Trusted site assignments don't prove malicious activity occurred" + - "Zone modifications may be legitimate administrative changes" + - "Settings may be overridden by Group Policy or user actions" + +correlation: + required_for_definitive_conclusions: + - "Browser history showing visits to modified trusted sites" + - "Network traffic logs showing malicious communication" + - "ActiveX control execution logs or crash dumps" + - "Process execution showing exploitation artifacts" + + strengthens_evidence: + - "Timeline analysis of when zone settings were changed" + - "User activity correlating with security modifications" + - "Other browser security bypasses or malware" metadata: windows_versions: @@ -65,7 +74,6 @@ metadata: - "Windows 11" introduced: "Internet Explorer 4.0" - criticality: "high" investigation_types: @@ -73,6 +81,8 @@ metadata: - "incident-response" - "behavioral-analysis" - "insider-threat" + - "initial-access" + - "privilege-escalation" tags: - "browser" @@ -81,16 +91,11 @@ metadata: - "trusted-sites" - "browser-security" - "activex" - - "script-execution" - - "web-security" references: - title: "Microsoft Documentation: Internet Explorer Security Zones" url: "https://docs.microsoft.com/en-us/troubleshoot/browsers/security-zones-registry-entries" type: "official" - - title: "Internet Explorer Security Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - title: "Browser Security Zone Exploitation Techniques" url: "https://attack.mitre.org/techniques/T1185/" type: "research" @@ -98,13 +103,13 @@ metadata: retention: default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" persistence: "Security zone settings persist until manually changed or policy update" - volatility: "Security configuration changes affect immediate browser security posture" + volatility: "Configuration changes affect immediate browser security posture" related_artifacts: - - "chrome_history" - - "firefox_history" + - "activex_controls" + - "browser_helper_objects" + - "downloads" - "typed_urls" - - "security_policy" author: name: "Tonmoy Jitu" @@ -114,4 +119,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + version: "3.0" diff --git a/artifacts/browser-activity/tor_browser.yml b/artifacts/browser-activity/tor_browser.yml new file mode 100644 index 0000000..effa5f9 --- /dev/null +++ b/artifacts/browser-activity/tor_browser.yml @@ -0,0 +1,109 @@ +title: "Tor Browser Privacy Configuration" +category: "browser-activity" +description: "Tor Browser installation and privacy configuration settings in registry" + +paths: + - "HKCU\\Software\\Mozilla\\Firefox\\Profiles\\[ProfileID]\\Tor Browser" + - "HKLM\\SOFTWARE\\Mozilla\\Firefox\\Tor Browser" + - "HKCU\\Software\\Classes\\TorBrowser" + - "HKLM\\SOFTWARE\\Classes\\TorBrowser" + +details: + what: | + Tor Browser registry entries store installation paths, security configurations, + and file associations. Contains privacy settings, security levels, and proxy + configurations for anonymous browsing. + + forensic_value: | + Indicates privacy-conscious behavior and potential attempts to evade monitoring. + Shows evidence of anonymity tool usage, dark web access capabilities, and + security-aware browsing patterns. + + structure: | + Tor Browser configuration includes proxy settings, security level preferences, + bridge configurations, and anonymity options. Privacy settings track JavaScript + restrictions, plugin blocking, and anti-fingerprinting measures for comprehensive + privacy-focused browsing behavior analysis and security-conscious user profiling. + + examples: + - "InstallPath: C:\\Users\\user\\Desktop\\Tor Browser" + - "SecurityLevel: Safest" + - "BridgeSettings: obfs4" + - "NoScript: 1" + - "ProxyType: SOCKS5" + - "Letterboxing: 1 (Anti-fingerprinting protection)" + - "ExitCountry: {us} (Preferred exit node country)" + + tools: + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Advanced registry analysis tool" + - name: "Tor Project Documentation" + url: "https://tb-manual.torproject.org/" + description: "Official Tor Browser documentation" + +limitations: + - "Registry entries show installation only, not actual usage or browsing activity" + - "Tor configuration doesn't prove illegal activity or dark web access" + - "Installation could be for legitimate privacy reasons" + +correlation: + required_for_definitive_conclusions: + - "Network traffic logs showing Tor connections" + - "Browser history or cache files from Tor usage" + - "Process execution logs showing Tor Browser activity" + + strengthens_evidence: + - "Timeline analysis of when Tor was installed and used" + - "File operations related to Tor directory access" + - "Other privacy tools or anonymization software" + +metadata: + windows_versions: + - "Windows XP" + - "Windows Vista" + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + + introduced: "Tor Browser" + criticality: "medium" + + investigation_types: + - "behavioral-analysis" + - "incident-response" + - "insider-threat" + - "anti-forensics" + + tags: + - "tor" + - "privacy" + - "anonymity" + - "dark-web" + - "anti-surveillance" + + references: + - title: "Tor Project" + url: "https://www.torproject.org/" + type: "official" + + retention: + default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" + persistence: "Installation registry entries persist until uninstalled" + volatility: "Configuration shows privacy tool presence" + + related_artifacts: + - "privacy_tools" + - "browser_configurations" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-06-08" + last_updated: "2025-06-08" + version: "3.0" diff --git a/artifacts/browser/browser_helper_objects.yml b/artifacts/browser/browser_helper_objects.yml deleted file mode 100644 index e77a617..0000000 --- a/artifacts/browser/browser_helper_objects.yml +++ /dev/null @@ -1,125 +0,0 @@ -title: "Browser Helper Objects and Internet Explorer Extensions" -category: "browser" -description: "Internet Explorer Browser Helper Objects, toolbar extensions, search providers, and browser plugin management" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" - - "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects" - - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Toolbar" - - "HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions" - -details: - what: | - Browser Helper Objects (BHOs) are Dynamic Link Libraries (DLLs) that automatically load - with Internet Explorer to extend browser functionality. Registry manages BHO registration, - toolbar installations, search provider configurations, and extension permissions. Controls - browser plugin behavior, automatic loading, security restrictions, and integration with - web browsing for enhanced functionality and user experience. - - forensic_value: | - Critical for detecting malicious browser extensions, adware installations, and browser - hijacking attacks. BHOs can intercept web traffic, steal credentials, inject malicious - content, and monitor user browsing behavior. Shows evidence of unauthorized browser - modifications, malicious toolbars, search hijacking, and browser-based data exfiltration. - Essential for analyzing browser malware, adware infections, and privacy violations. - - structure: | - BHO registration uses CLSID identifiers as subkeys referencing COM objects that load - automatically with Internet Explorer. Each BHO entry contains class registration, - security settings, and loading preferences. Toolbar entries define button configurations, - display properties, and execution commands. Extensions manage browser add-ons and - functionality enhancements with security descriptors and capability definitions. - - examples: - - "BHO\\{CLSID}: Adobe PDF Reader (Legitimate PDF viewer integration)" - - "BHO\\{2670000A-7350-4f3c-8081-5663EE0C6C49}: Windows Live Toolbar (Microsoft toolbar)" - - "BHO\\{12345678-1234-5678-9abc-123456789abc}: Malicious Adware BHO (Suspicious entry)" - - "Toolbar\\{GUID}: Search Hijacker Toolbar (Unauthorized search modification)" - - "Extensions\\{MenuExt-GUID}: Download Manager (Context menu extension)" - - "NoExplorer: 1 (BHO disabled in Windows Explorer)" - - "CLSID Reference: HKLM\\SOFTWARE\\Classes\\CLSID\\{GUID}\\InprocServer32: malware.dll" - - tools: - - name: "Internet Options (inetcpl.cpl)" - description: "Built-in Internet Explorer add-on and extension management" - - name: "BHODemon" - url: "https://www.malwareremovalguides.info/bhodemon_review.htm" - description: "Third-party tool for BHO analysis and management" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Autoruns" - url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" - description: "Microsoft Sysinternals tool with comprehensive BHO enumeration" - - name: "BrowserAddonsView" - url: "https://www.nirsoft.net/utils/browser_addons_view.html" - description: "NirSoft tool for viewing installed browser add-ons and extensions" - -metadata: - windows_versions: - - "Windows 98" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Internet Explorer 4.0" - deprecated: "Legacy with IE, modern browsers use different extension models" - - criticality: "high" - - investigation_types: - - "malware-analysis" - - "incident-response" - - "behavioral-analysis" - - "data-exfiltration" - - tags: - - "browser-extensions" - - "bho" - - "browser-hijacking" - - "adware" - - "malicious-toolbars" - - "browser-security" - - "credential-theft" - - "traffic-interception" - - references: - - title: "Microsoft Documentation: Browser Helper Objects" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/bb250436(v=vs.85)" - type: "official" - - title: "Internet Explorer Extension Security" - url: "https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/aa741313(v=vs.85)" - type: "official" - - title: "Browser Helper Object Malware Analysis" - url: "https://www.sans.org/white-papers/33439/" - type: "research" - - title: "BHO-based Attacks and Detection" - url: "https://www.forensicfocus.com/articles/browser-helper-object-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "BHO registrations persist until manually removed or software uninstalled" - volatility: "Automatically load with browser sessions, immediate impact on browsing security" - - related_artifacts: - - "activex_controls" - - "browser_security" - - "com_objects" - - "internet_settings" - - "malware_persistence" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/browser/chrome_history.yml b/artifacts/browser/chrome_history.yml deleted file mode 100644 index 73a9b04..0000000 --- a/artifacts/browser/chrome_history.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "Chrome and Edge Browser Registry Data" -category: "browser" -description: "Chrome and Edge browser preferences, extensions, policies, and configuration registry data" - -paths: - - "HKCU\\Software\\Google\\Chrome" - - "HKCU\\Software\\Microsoft\\Edge" - - "HKLM\\SOFTWARE\\Policies\\Google\\Chrome" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge" - - "HKCU\\Software\\Chromium" - -details: - what: | - Chrome and Edge Chromium-based browsers store configuration data, extension information, - enterprise policy settings, homepage URLs, search engine preferences, and browser state - information in the registry for system-wide settings and Group Policy enforcement. - Manages security policies, extension permissions, profile configurations, and browser - behavior controls for comprehensive web browsing security and functionality. - - forensic_value: | - Critical for browser-based investigations including malicious extension detection, homepage - hijacking analysis, enterprise policy bypass attempts, and browser-based data exfiltration. - Shows browser usage patterns, installed extensions that could be malicious, policy restrictions - that may have been circumvented, and evidence of browser-based attacks or command and control - communication through browser configurations and extension installations. - - structure: | - Hierarchical registry structure containing browser preferences, extension lists, policy settings, - and user profile information. Configuration data stored as JSON-formatted values for complex - settings, REG_DWORD for boolean options, and REG_SZ for text preferences. Separate branches - for user preferences and machine-wide Group Policy enforcement. - - examples: - - "HomepageLocation: http://malicious-site.com (Potential homepage hijacking)" - - "Extensions\\\\Installed: [{\"extension_id\": \"malicious_extension\"}]" - - "DefaultSearchProviderSearchURL: http://evil-search.com/search?q={searchTerms}" - - "Policies\\\\URLBlocklist: [\"*.legitimate-security-site.com\"] (Blocking security sites)" - - "PreferenceMACs: [MAC values for preference integrity verification]" - - "Profile Path: C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data" - - "BookmarkBarEnabled: 1 (Bookmark bar visibility)" - - tools: - - name: "Chrome Browser Policy List" - url: "https://chromeenterprise.google/policies/" - description: "Complete Chrome enterprise policy reference" - - name: "ChromeHistoryView" - url: "https://www.nirsoft.net/utils/chrome_history_view.html" - description: "View and analyze Chrome browsing history from database files" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "BrowsingHistoryView" - url: "https://www.nirsoft.net/utils/browsing_history_view.html" - description: "Universal browser history viewer for multiple browsers" - - name: "Browser Configuration Analyzer" - description: "Specialized tools for analyzing browser security configurations" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Chrome 2008, Edge 2015" - - criticality: "high" - - investigation_types: - - "insider-threat" - - "malware-analysis" - - "data-exfiltration" - - "incident-response" - - "timeline-analysis" - - tags: - - "browser" - - "chrome" - - "edge" - - "extensions" - - "policies" - - "hijacking" - - "web-security" - - references: - - title: "Google Chrome Enterprise Documentation" - url: "https://support.google.com/chrome/a/answer/7532015" - type: "official" - - title: "Microsoft Edge Enterprise Documentation" - url: "https://docs.microsoft.com/en-us/deployedge/" - type: "official" - - title: "Browser Extension Malware Analysis" - url: "https://www.sans.org/white-papers/39738/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Browser configuration persists until manually changed or policy update" - volatility: "Configuration changes affect immediate browser behavior and security" - - related_artifacts: - - "firefox_history" - - "file_associations" - - "default_applications" - - "security_policies" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/browser/firefox_history.yml b/artifacts/browser/firefox_history.yml deleted file mode 100644 index 3032338..0000000 --- a/artifacts/browser/firefox_history.yml +++ /dev/null @@ -1,111 +0,0 @@ -title: "Firefox Browser Registry Data" -category: "user-activity" -description: "Firefox installation information, profile locations, browser preferences, and configuration data" - -paths: - - "HKCU\\Software\\Mozilla\\Firefox" - - "HKLM\\SOFTWARE\\Mozilla\\Firefox" - - "HKCU\\Software\\Classes\\FirefoxHTML" - - "HKLM\\SOFTWARE\\Classes\\FirefoxURL" - -details: - what: | - Firefox browser registration and configuration data stored in Windows registry including - installation information, version details, profile directory locations, default browser - settings, update preferences, and file association handlers. Manages Firefox integration - with Windows shell, protocol handlers, and system-wide browser configuration for - comprehensive web browsing functionality and system integration. - - forensic_value: | - Essential for Firefox-based investigations including web browsing activity analysis, - profile location identification for further examination, installation timeline establishment, - and browser preference analysis. Shows Firefox usage patterns, configuration modifications - that might indicate security bypasses, and integration with system shell for protocol - handling. Critical for investigations involving Firefox-specific browsing artifacts. - - structure: | - Installation information organized under Mozilla\\Firefox including CurrentVersion, install - directory paths, profile management settings, and update configurations. File associations - stored in Classes registry showing protocol handlers for HTTP, HTTPS, FTP, and custom - protocols. Profile settings include default profile locations and user-specific configurations. - - examples: - - "CurrentVersion: 121.0 (Firefox version information)" - - "Install Directory: C:\\\\Program Files\\\\Mozilla Firefox (Installation path)" - - "Profile Path: %APPDATA%\\\\Mozilla\\\\Firefox\\\\Profiles (Profile directory location)" - - "FirefoxHTML\\\\shell\\\\open\\\\command: \"C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\" -osint -url \"%1\"" - - "FirefoxURL\\\\DefaultIcon: C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe,1" - - "DefaultClientState: 1 (Default browser status)" - - "ProfileManager\\\\StartWithLastProfile: 1 (Automatic profile loading)" - - tools: - - name: "Firefox Profile Manager" - description: "Firefox built-in profile management and configuration utility" - - name: "MozillaHistoryView" - url: "https://www.nirsoft.net/utils/mozilla_history_view.html" - description: "Third-party tool for viewing Firefox browsing history" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Firefox Configuration Editor" - description: "about:config interface for advanced Firefox settings" - - name: "Browser Forensics Tools" - description: "Specialized utilities for Firefox artifact analysis" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Firefox 1.0 (2004)" - - criticality: "medium" - - investigation_types: - - "behavioral-analysis" - - "insider-threat" - - "incident-response" - - "timeline-analysis" - - tags: - - "browser" - - "firefox" - - "web-browsing" - - "profiles" - - "internet-activity" - - "file-associations" - - "protocol-handlers" - - references: - - title: "Mozilla Documentation: Firefox Profiles" - url: "https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data" - type: "official" - - title: "Firefox Browser Forensics Guide" - url: "https://www.forensicfocus.com/articles/firefox-browser-forensics/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Firefox configuration persists until uninstallation or manual removal" - volatility: "Browser settings reflect current installation and configuration state" - - related_artifacts: - - "chrome_history" - - "default_applications" - - "file_associations" - - "user_profiles" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/browser/tor.yml b/artifacts/browser/tor.yml deleted file mode 100644 index 0437083..0000000 --- a/artifacts/browser/tor.yml +++ /dev/null @@ -1,101 +0,0 @@ -title: "Tor Browser Privacy Configuration" -category: "browser" -description: "Tor Browser settings, anonymity preferences, and privacy-focused browsing configuration" - -paths: - - "HKCU\\Software\\Mozilla\\Firefox\\Profiles\\*\\Tor Browser" - - "HKLM\\SOFTWARE\\Mozilla\\Firefox\\Tor Browser" - - "HKCU\\Software\\Classes\\TorBrowser" - - "HKLM\\SOFTWARE\\Classes\\TorBrowser" - -details: - what: | - Tor Browser manages privacy-focused web browsing including anonymity settings, - proxy configurations, security levels, and anti-tracking preferences. Registry - stores installation data, security configurations, bridge settings, and privacy - preferences for comprehensive anonymous browsing analysis and privacy-conscious - internet usage behavior tracking in sensitive or security-focused environments. - - forensic_value: | - Critical for investigating privacy-conscious behavior, potential anonymous - communications, dark web access, and security-aware browsing patterns. Shows - evidence of anonymity-seeking behavior, privacy tool usage, potential illicit - activities, and can indicate attempts to evade monitoring, access restricted - content, or maintain operational security in sensitive investigations. - - structure: | - Tor Browser configuration includes proxy settings, security level preferences, - bridge configurations, and anonymity options. Privacy settings track JavaScript - restrictions, plugin blocking, and anti-fingerprinting measures for comprehensive - privacy-focused browsing behavior analysis and security-conscious user profiling. - - examples: - - "InstallPath: C:\\Users\\user\\Desktop\\Tor Browser" - - "SecurityLevel: Safest (Highest security configuration)" - - "BridgeSettings: obfs4 (Pluggable transport bridges)" - - "NoScript: 1 (JavaScript blocking enabled)" - - "Letterboxing: 1 (Anti-fingerprinting protection)" - - "ProxyType: SOCKS5 (Tor proxy configuration)" - - "ExitCountry: {us} (Preferred exit node country)" - - tools: - - name: "Tor Browser" - description: "Privacy-focused web browser for anonymous browsing" - - name: "Tor Network Status" - description: "Tools for monitoring Tor network connectivity and status" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Tor Browser" - - criticality: "high" - - investigation_types: - - "behavioral-analysis" - - "incident-response" - - "malware-analysis" - - tags: - - "tor" - - "privacy" - - "anonymity" - - "dark-web" - - "security" - - "anti-surveillance" - - "onion-routing" - - references: - - title: "Tor Project" - url: "https://www.torproject.org/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Privacy settings persist until manual reconfiguration" - volatility: "Anonymity tool usage provides evidence of privacy-conscious behavior" - - related_artifacts: - - "privacy_tools" - - "browser_security" - - "anonymity_software" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication-apps/discord.yml b/artifacts/communication-apps/discord.yml new file mode 100644 index 0000000..53f0c82 --- /dev/null +++ b/artifacts/communication-apps/discord.yml @@ -0,0 +1,91 @@ +title: "Discord Desktop Client" +category: "communication-apps" +description: "Discord application configuration, server memberships, and communication settings" + +paths: + - "HKCU\\Software\\Discord" + - "HKLM\\SOFTWARE\\Discord Inc\\Discord" + - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Discord" + - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" + +details: + what: | + Discord client settings for gaming and community communication. Stores user authentication, + server configurations, notification settings, and privacy preferences. + + forensic_value: | + Reveals unauthorized external communications, gaming-related activities, and informal + communication channels that bypass corporate monitoring. Shows membership in suspicious + servers and potential data exfiltration through gaming platforms. + + structure: | + Configuration includes user identifiers, server memberships, privacy settings, + notification preferences, and voice/video configurations. + + examples: + - "UserID: 123456789012345678 (Discord user identifier)" + - "Username: employee_username (Discord display name)" + - "AutoStart: 1 (Discord starts with Windows)" + - "MinimizeToTray: 1 (Minimize to system tray)" + - "EnableGameOverlay: 0 (Game overlay disabled)" + - "VoiceMode: PushToTalk (Voice activation method)" + + tools: + - name: "Discord Desktop Settings" + description: "Built-in configuration and privacy controls" + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Registry analysis tool" + +limitations: + - "Shows configuration only, not actual chat content or communication history" + - "Server membership doesn't prove active participation or message sending" + - "Settings don't indicate what was actually shared or downloaded" + +correlation: + required_for_definitive_conclusions: + - "Network traffic logs showing actual Discord communication sessions" + - "File system artifacts showing downloaded files from Discord" + - "Process execution logs confirming Discord client activity" + + strengthens_evidence: + - "Browser artifacts showing Discord web client usage" + - "Mobile device analysis for Discord mobile app activity" + +metadata: + windows_versions: + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + + criticality: "medium" + + investigation_types: + - "insider-threat" + - "behavioral-analysis" + - "timeline-analysis" + - "data-exfiltration" + + tags: + - "discord" + - "gaming-communication" + - "informal-channels" + - "voice-chat" + - "screen-sharing" + + references: + - title: "Discord Support Documentation" + url: "https://support.discord.com/" + type: "official" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-06-08" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/mail_client.yml b/artifacts/communication-apps/email_client.yml similarity index 60% rename from artifacts/user-activity/mail_client.yml rename to artifacts/communication-apps/email_client.yml index f928f9e..f9f8d69 100644 --- a/artifacts/user-activity/mail_client.yml +++ b/artifacts/communication-apps/email_client.yml @@ -1,6 +1,6 @@ title: "Email Client Registry Configuration" -category: "user-activity" -description: "Email client settings, MAPI configuration, default mail applications, and messaging protocols" +category: "communication-apps" +description: "Email client settings, MAPI configuration, and default mail applications" paths: - "HKCU\\Software\\Microsoft\\Office\\Outlook" @@ -11,25 +11,20 @@ paths: details: what: | - Email client configuration encompasses default mail client registration, MAPI (Messaging - Application Programming Interface) settings, account configuration remnants, mail client - preferences, protocol associations, and messaging subsystem configuration. Controls email - handling behavior, client integration, protocol support, and system-wide messaging - functionality for comprehensive email communication management. + Email client configuration including default mail client registration, MAPI (Messaging + Application Programming Interface) settings, account configuration remnants, and protocol + associations. Controls email handling behavior and system-wide messaging functionality. forensic_value: | - Critical for investigating email-based attacks, data exfiltration through email channels, - and communication pattern analysis. Shows email client usage indicating potential corporate - espionage, reveals mail client modifications that facilitate email interception, and provides - evidence of email-based command and control communication. Essential for understanding - email infrastructure used for malicious activities and insider threat investigations. + Critical for investigating email-based attacks and data exfiltration through email channels. + Shows email client usage indicating potential corporate espionage, reveals mail client + modifications that facilitate email interception, and provides evidence of email-based + command and control communication. structure: | Mail client registration includes default client specification, protocol associations for mailto: links, MAPI provider configuration, and client-specific settings. MAPI configuration - controls messaging API behavior, profile settings, and service provider integration. - Client preferences include server settings, security configurations, and user interface - customizations stored as various registry data types. + controls messaging API behavior and service provider integration. examples: - "Default Mail Client: Microsoft Outlook (Configured default email application)" @@ -53,6 +48,28 @@ details: - name: "Email Client Forensics Tools" description: "Specialized utilities for email client configuration analysis" +limitations: + - "Email client configuration does NOT prove emails were sent, received, or accessed" + - "MAPI settings don't indicate actual messaging API usage or email operations" + - "Default client registration doesn't show email application was actively used" + - "Profile settings don't prove successful email account configuration or connectivity" + - "AutoConfig URLs don't indicate successful email server autodiscovery" + - "Mail client paths don't show application execution or email handling" + - "Protocol associations don't prove mailto: links were actually used" + +correlation: + required_for_definitive_usage_proof: + - "Email client data files showing actual sent/received messages" + - "Process execution logs showing email client application activity" + - "Network traffic logs showing SMTP/IMAP/POP3 email protocol communications" + - "Windows Event Logs showing email client startup and messaging activity" + + strengthens_evidence: + - "Recent documents showing email-related files (PST, EML, MSG files)" + - "Registry keys modified by email applications during message processing" + - "File system artifacts showing email attachment downloads or saves" + - "Browser history showing webmail access or email configuration pages" + metadata: windows_versions: - "Windows 95" @@ -66,7 +83,6 @@ metadata: - "Windows 11" introduced: "Windows 95" - criticality: "medium" investigation_types: @@ -110,5 +126,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/communication/microsoft_teams.yml b/artifacts/communication-apps/microsoft_teams.yml similarity index 53% rename from artifacts/communication/microsoft_teams.yml rename to artifacts/communication-apps/microsoft_teams.yml index fcab1a4..5b8e812 100644 --- a/artifacts/communication/microsoft_teams.yml +++ b/artifacts/communication-apps/microsoft_teams.yml @@ -1,5 +1,5 @@ title: "Microsoft Teams Desktop Client" -category: "communication" +category: "communication-apps" description: "Microsoft Teams configuration, account integration, and collaboration settings" paths: @@ -10,24 +10,17 @@ paths: details: what: | - Microsoft Teams Desktop Client manages enterprise communication including chat, - video conferencing, file sharing, and collaboration workspace integration. - Registry stores user authentication, tenant configurations, meeting settings, - notification preferences, and integration with Office 365 and Microsoft 365 - services for comprehensive workplace collaboration and communication management. + Teams client settings for enterprise communication. Stores user authentication, + tenant configurations, meeting settings, and Office 365 integration preferences. forensic_value: | Critical for investigating internal communications, unauthorized external contacts, - data sharing through Teams channels, and evidence of collaboration activities. - Shows evidence of Teams usage patterns, tenant memberships, external meeting - participation, and potential data exfiltration through Teams file sharing and - communication channels in enterprise environments. + and data sharing through Teams channels. Shows tenant memberships, external meeting + participation, and potential data exfiltration in enterprise environments. structure: | - Teams configuration includes tenant identifiers, user principal names, meeting - policies, chat settings, file sharing permissions, and device integration - preferences. Enterprise policies control external access, guest permissions, - and data governance compliance for comprehensive Teams security management. + Configuration includes tenant identifiers, user principal names, meeting policies, + chat settings, file sharing permissions, and device integration preferences. examples: - "TenantId: company.onmicrosoft.com (Office 365 tenant)" @@ -36,16 +29,31 @@ details: - "AllowGuestAccess: 1 (Guest users allowed in meetings)" - "RecordingPolicy: Enabled (Meeting recording allowed)" - "FileSharing: Restricted (Limited file sharing capabilities)" - - "RingOnOtherApps: 1 (Cross-device calling enabled)" tools: - name: "Microsoft Teams Admin Center" description: "Enterprise Teams administration and policy management" - name: "Teams Desktop Client Settings" - description: "Built-in Teams configuration interface" + description: "Built-in configuration interface" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Registry analysis tool" + +limitations: + - "Shows configuration only, not actual chat messages or meeting content" + - "Policy settings don't prove what communications actually occurred" + - "External access configuration doesn't indicate actual external communication" + +correlation: + required_for_definitive_conclusions: + - "Teams audit logs from Microsoft 365 admin center showing actual activities" + - "Network traffic analysis confirming Teams communication sessions" + - "File system artifacts showing downloaded or shared Teams files" + + strengthens_evidence: + - "Office 365 login logs confirming account access" + - "Email artifacts showing Teams meeting invitations" + - "SharePoint artifacts showing Teams-integrated file activities" metadata: windows_versions: @@ -56,13 +64,13 @@ metadata: - "Windows 11" introduced: "Microsoft Teams (2017)" - - criticality: "medium" + criticality: "high" investigation_types: - "insider-threat" - "data-exfiltration" - "behavioral-analysis" + - "incident-response" tags: - "teams" @@ -77,16 +85,6 @@ metadata: url: "https://docs.microsoft.com/en-us/microsoftteams/" type: "official" - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Enterprise configurations managed by organizational policies" - volatility: "Communication patterns provide ongoing collaboration intelligence" - - related_artifacts: - - "office_integration" - - "enterprise_communication" - - "collaboration_tools" - author: name: "Tonmoy Jitu" github: "tonmoy0010" @@ -94,5 +92,6 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0 + " diff --git a/artifacts/communication-apps/slack.yml b/artifacts/communication-apps/slack.yml new file mode 100644 index 0000000..5f15170 --- /dev/null +++ b/artifacts/communication-apps/slack.yml @@ -0,0 +1,95 @@ +title: "Slack Desktop Application" +category: "communication-apps" +description: "Slack workspace configuration, team memberships, and enterprise communication settings" + +paths: + - "HKCU\\Software\\Slack\\Teams" + - "HKLM\\SOFTWARE\\Slack Technologies\\Slack" + - "HKCU\\Software\\Slack Technologies Inc\\Slack" + - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\SlackTechnologies.Slack_4k3xh6g9q8ydm!App" + +details: + what: | + Slack client settings for workplace communication. Stores workspace configurations, + user credentials, notification settings, and team associations. + + forensic_value: | + Essential for investigating workplace communications, unauthorized workspace access, + and data sharing through Slack channels. Shows workspace memberships, external + Slack usage, and potential data exfiltration through file sharing capabilities. + + structure: | + Configuration includes workspace identifiers, team memberships, user authentication, + notification preferences, and integration settings. + + examples: + - "Team: company-workspace.slack.com (Primary workspace)" + - "Team: external-partner.slack.com (External workspace access)" + - "UserID: U123456789 (Slack user identifier)" + - "Email: user@company.com (Associated email address)" + - "NotificationSound: 1 (Audio notifications enabled)" + - "ShowUnreadBadge: 1 (Unread message indicators enabled)" + + tools: + - name: "Slack Desktop Preferences" + description: "Built-in configuration and workspace management" + - name: "Slack Enterprise Grid Admin" + description: "Enterprise administration and audit capabilities" + - name: "Registry Explorer" + url: "https://ericzimmerman.github.io/#!index.md" + description: "Registry analysis tool" + +limitations: + - "Shows workspace membership but not actual message content" + - "Team configurations don't indicate what information was shared" + - "External workspace access doesn't confirm what data was exchanged" + +correlation: + required_for_definitive_conclusions: + - "Slack audit logs showing actual message and file activities" + - "Network traffic analysis confirming Slack communication sessions" + - "File system artifacts showing downloaded files from Slack channels" + + strengthens_evidence: + - "Browser artifacts showing Slack web client usage" + - "Email artifacts showing Slack workspace invitations" + - "Mobile device analysis for Slack mobile app synchronization" + +metadata: + windows_versions: + - "Windows 7" + - "Windows 8" + - "Windows 8.1" + - "Windows 10" + - "Windows 11" + + criticality: "high" + + investigation_types: + - "insider-threat" + - "data-exfiltration" + - "behavioral-analysis" + - "incident-response" + + tags: + - "slack" + - "workplace-communication" + - "team-collaboration" + - "workspace-access" + - "enterprise-messaging" + - "file-sharing" + + references: + - title: "Slack Documentation" + url: "https://slack.com/help" + type: "official" + +author: + name: "Tonmoy Jitu" + github: "tonmoy0010" + x: "tonmoy0010" + +contribution: + date_added: "2025-06-08" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/communication/telephony.yml b/artifacts/communication-apps/telephony.yml similarity index 53% rename from artifacts/communication/telephony.yml rename to artifacts/communication-apps/telephony.yml index fee8192..885bf40 100644 --- a/artifacts/communication/telephony.yml +++ b/artifacts/communication-apps/telephony.yml @@ -1,5 +1,5 @@ title: "Windows Telephony and Communication Services" -category: "communication" +category: "communication-apps" description: "TAPI configuration, VoIP settings, messaging protocols, and communication service integration" paths: @@ -10,47 +10,53 @@ paths: details: what: | - Windows Telephony Application Programming Interface (TAPI) and communication services - configuration encompasses VoIP integration, telephony service providers, communication - device management, messaging protocols, and unified communication platform settings. - Controls phone integration, voice services, messaging applications, and communication - protocol support for enterprise and consumer communication solutions. + Windows Telephony API (TAPI) and communication services configuration. + Controls VoIP integration, telephony service providers, messaging protocols, + and unified communication platform settings. forensic_value: | - Critical for investigating unauthorized communication channels, VoIP-based data exfiltration, - covert communication protocols, and misuse of communication services for malicious purposes. - Shows evidence of telephony applications, communication service configurations that could - facilitate unauthorized access, and protocol settings that might indicate command and - control communication attempts through legitimate communication channels. + Critical for investigating unauthorized communication channels, VoIP-based data + exfiltration, and covert communication protocols. Shows telephony applications + and protocol settings that might indicate command and control communication. structure: | - Telephony configuration includes TAPI service providers, communication device registrations, + Configuration includes TAPI service providers, communication device registrations, protocol handlers, messaging service configurations, and VoIP integration settings. - TapiSrv service controls telephony infrastructure with provider registration, device - enumeration, and communication protocol management for comprehensive communication support. examples: - "Telephony\\Providers\\Provider0: unimdm.tsp (Universal modem TSP)" - - "Telephony\\Providers\\Provider1: kmddsp.tsp (Kernel mode telephony provider)" - "Communications\\CallHistoryEnabled: 1 (Call history tracking enabled)" - "TapiSrv\\Start: 3 (Telephony service manual startup)" - "VoIPProtocols\\SIP: Enabled (Session Initiation Protocol support)" - "MessagingProtocols\\SMTP: smtp.company.com:587 (Email server configuration)" - "CommunicationApps\\Teams: Registered (Microsoft Teams integration)" - - "PhoneIntegration: 1 (Mobile phone integration enabled)" tools: - name: "Phone and Modem Options (telephon.cpl)" - description: "Built-in Windows telephony and modem configuration interface" + description: "Built-in Windows telephony and modem configuration" - name: "Communication Apps Settings" - description: "Windows communication application configuration and management" + description: "Windows communication application management" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Registry analysis tool" - name: "TAPI Browser" - description: "Telephony API configuration analysis and service enumeration tools" - - name: "VoIP Protocol Analyzer" - description: "Tools for analyzing VoIP and communication protocol configurations" + description: "Telephony API configuration analysis tools" + +limitations: + - "Shows service setup only, not actual call records or communication content" + - "Service provider registration doesn't prove telephony services were used" + - "Protocol configuration doesn't indicate what communications occurred" + +correlation: + required_for_definitive_conclusions: + - "Call detail records (CDR) from telephony systems showing actual communication" + - "Network traffic analysis confirming VoIP protocol usage" + - "Application logs from telephony software showing call activity" + + strengthens_evidence: + - "Communication app artifacts showing integrated telephony usage" + - "Network configuration artifacts showing VoIP infrastructure setup" + - "Device management artifacts showing communication hardware integration" metadata: windows_versions: @@ -73,7 +79,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95 (TAPI 1.0)" - criticality: "medium" investigation_types: @@ -81,39 +86,24 @@ metadata: - "behavioral-analysis" - "incident-response" - "lateral-movement" + - "anti-forensics" tags: - - "communication" - "telephony" - "voip" - "messaging" - "tapi" - "communication-protocols" - "covert-channels" - - "unified-communications" references: - title: "Microsoft Documentation: Telephony API (TAPI)" url: "https://docs.microsoft.com/en-us/windows/win32/tapi/telephony-application-programming-interfaces" type: "official" - - title: "Windows Communication Services Security" - url: "https://docs.microsoft.com/en-us/windows/security/" - type: "official" - title: "VoIP Security and Forensics Analysis" url: "https://www.sans.org/white-papers/33649/" type: "research" - retention: - default_location: "Registry hive files (SOFTWARE, SYSTEM, NTUSER.DAT)" - persistence: "Communication service configuration persists until service reconfiguration" - volatility: "Protocol settings affect ongoing communication service security and monitoring" - - related_artifacts: - - "network_interfaces" - - "firewall_rules" - - "proxy_settings" - - "installed_programs" - author: name: "Tonmoy Jitu" github: "tonmoy0010" @@ -121,5 +111,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/communication/whatsapp.yml b/artifacts/communication-apps/whatsapp.yml similarity index 51% rename from artifacts/communication/whatsapp.yml rename to artifacts/communication-apps/whatsapp.yml index 445dc09..b93f240 100644 --- a/artifacts/communication/whatsapp.yml +++ b/artifacts/communication-apps/whatsapp.yml @@ -1,5 +1,5 @@ title: "WhatsApp Desktop Application" -category: "communication" +category: "communication-apps" description: "WhatsApp Desktop configuration, account linking, and messaging settings" paths: @@ -10,41 +10,49 @@ paths: details: what: | - WhatsApp Desktop Application enables messaging synchronization between mobile - WhatsApp and Windows desktop through QR code linking. Registry stores account - linking data, notification preferences, media download settings, and desktop - integration configuration for comprehensive cross-platform messaging experience - with end-to-end encryption and multimedia sharing capabilities. + WhatsApp desktop client settings for cross-platform messaging. Stores account + linking data, notification preferences, and media download settings. forensic_value: | - Important for investigating personal communication on corporate devices, - unauthorized external messaging, and potential data sharing through WhatsApp's - multimedia capabilities. Shows evidence of personal device linking, messaging - activity patterns, and external communication that may bypass corporate - monitoring through encrypted messaging platform usage. + Important for investigating personal communication on corporate devices and + unauthorized external messaging. Shows personal device linking, messaging + activity patterns, and external communication bypassing corporate monitoring. structure: | - WhatsApp configuration includes account linking information, notification - settings, media auto-download preferences, and desktop integration options. - Linking data shows mobile device associations and authentication sessions - for comprehensive WhatsApp Desktop usage analysis and communication tracking. + Configuration includes account linking information, notification settings, + media auto-download preferences, and desktop integration options. examples: - "LinkedDevice: Android/iPhone (Linked mobile device type)" - "AutoDownloadMedia: 1 (Automatic media download enabled)" - "Notifications: 1 (Desktop notifications enabled)" - - "StartMinimized: 0 (Application starts in normal window)" - "PlaySounds: 1 (Message notification sounds enabled)" - "LaunchAtStartup: 1 (WhatsApp starts with Windows)" tools: - name: "WhatsApp Desktop Settings" - description: "Built-in WhatsApp configuration and notification controls" + description: "Built-in configuration and notification controls" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Registry analysis tool" - name: "Mobile Device Analysis Tools" - description: "Complementary mobile forensics for complete WhatsApp analysis" + description: "Complementary mobile forensics for complete analysis" + +limitations: + - "Shows configuration only, not actual message content due to encryption" + - "Device linking information doesn't reveal what messages were sent" + - "Media download settings don't show what files were actually downloaded" + +correlation: + required_for_definitive_conclusions: + - "Mobile device analysis showing WhatsApp database and media files" + - "Network traffic analysis confirming WhatsApp communication sessions" + - "File system artifacts showing WhatsApp media downloads" + + strengthens_evidence: + - "Browser artifacts showing WhatsApp Web usage" + - "Notification logs showing WhatsApp message alerts" + - "Process execution logs confirming WhatsApp desktop activity" metadata: windows_versions: @@ -61,6 +69,7 @@ metadata: - "behavioral-analysis" - "timeline-analysis" - "incident-response" + - "insider-threat" tags: - "whatsapp" @@ -68,23 +77,12 @@ metadata: - "encrypted-communication" - "mobile-linking" - "multimedia-sharing" - - "cross-platform" references: - title: "WhatsApp Desktop Support" url: "https://faq.whatsapp.com/general/download-and-installation/how-to-download-and-install-whatsapp-desktop" type: "official" - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Account linking and preferences persist until manual disconnection" - volatility: "Messaging activity patterns provide personal communication intelligence" - - related_artifacts: - - "personal_messaging" - - "mobile_device_linking" - - "encrypted_communication" - author: name: "Tonmoy Jitu" github: "tonmoy0010" @@ -92,5 +90,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/communication/zoom.yml b/artifacts/communication-apps/zoom.yml similarity index 51% rename from artifacts/communication/zoom.yml rename to artifacts/communication-apps/zoom.yml index c3f992a..a1d5d8d 100644 --- a/artifacts/communication/zoom.yml +++ b/artifacts/communication-apps/zoom.yml @@ -1,5 +1,5 @@ title: "Zoom Desktop Client" -category: "communication" +category: "communication-apps" description: "Zoom video conferencing configuration, meeting settings, and account integration" paths: @@ -10,24 +10,17 @@ paths: details: what: | - Zoom Desktop Client manages video conferencing including meeting participation, - recording settings, security configurations, and account integration. Registry - stores user authentication, meeting preferences, security settings, recording - locations, and enterprise Single Sign-On (SSO) configurations for comprehensive - video communication platform with extensive meeting and webinar capabilities. + Zoom client settings for video conferencing. Stores user authentication, + meeting preferences, security configurations, and recording locations. forensic_value: | Critical for investigating meeting participation, unauthorized external meetings, - recording activities, and potential data sharing through Zoom sessions. Shows - evidence of meeting history, account associations, recording configurations, - and external communication patterns through video conferencing that may bypass - traditional communication monitoring and corporate security controls. + and recording activities. Shows account associations, recording configurations, + and external communication patterns through video conferencing. structure: | - Zoom configuration includes account identifiers, SSO settings, meeting preferences, + Configuration includes account identifiers, SSO settings, meeting preferences, recording locations, security configurations, and device integration options. - Enterprise settings control meeting policies, recording permissions, and - external participant restrictions for comprehensive Zoom security management. examples: - "Email: user@company.com (Zoom account email)" @@ -35,17 +28,32 @@ details: - "AutoRecord: 1 (Automatic meeting recording enabled)" - "RecordPath: C:\\Users\\user\\Documents\\Zoom (Recording save location)" - "JoinBeforeHost: 0 (Participants cannot join before host)" - - "MuteOnEntry: 1 (Participants muted when joining)" - "EnableWaitingRoom: 1 (Waiting room security enabled)" tools: - name: "Zoom Desktop Client Settings" - description: "Built-in Zoom configuration and meeting preferences" + description: "Built-in configuration and meeting preferences" - name: "Zoom Admin Portal" - description: "Enterprise Zoom administration and usage analytics" + description: "Enterprise administration and usage analytics" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Registry analysis tool" + +limitations: + - "Shows configuration only, not actual meeting content or participants" + - "Recording settings don't indicate what meetings were actually recorded" + - "Account information doesn't prove what meetings were attended" + +correlation: + required_for_definitive_conclusions: + - "Zoom cloud dashboard or local meeting logs showing actual participation" + - "File system artifacts showing locally recorded meeting files" + - "Network traffic analysis confirming Zoom meeting connections" + + strengthens_evidence: + - "Calendar artifacts showing Zoom meeting invitations" + - "Email artifacts showing Zoom meeting notifications" + - "Browser artifacts showing Zoom web client usage" metadata: windows_versions: @@ -55,14 +63,13 @@ metadata: - "Windows 10" - "Windows 11" - introduced: "Zoom Desktop Client" - criticality: "medium" investigation_types: - "behavioral-analysis" - "timeline-analysis" - "incident-response" + - "insider-threat" tags: - "zoom" @@ -70,23 +77,12 @@ metadata: - "meeting-recording" - "remote-collaboration" - "enterprise-sso" - - "webinars" references: - title: "Zoom Support Documentation" url: "https://support.zoom.us/" type: "official" - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Account and meeting settings persist across application sessions" - volatility: "Meeting activity and recordings provide communication pattern evidence" - - related_artifacts: - - "video_conferencing" - - "meeting_recordings" - - "remote_collaboration" - author: name: "Tonmoy Jitu" github: "tonmoy0010" @@ -94,5 +90,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/communication/discord.yml b/artifacts/communication/discord.yml deleted file mode 100644 index 4b8190a..0000000 --- a/artifacts/communication/discord.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Discord Desktop Client" -category: "communication" -description: "Discord application configuration, server memberships, and communication settings" - -paths: - - "HKCU\\Software\\Discord" - - "HKLM\\SOFTWARE\\Discord Inc\\Discord" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Discord" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord" - -details: - what: | - Discord Desktop Client manages gaming and community communication including text - chat, voice channels, screen sharing, and server memberships. Registry stores - user authentication, server configurations, notification settings, privacy - preferences, and integration options for comprehensive gaming-focused - communication platform with potential corporate usage scenarios. - - forensic_value: | - Important for investigating unauthorized external communications, potential data - sharing through Discord channels, gaming-related activities, and evidence of - informal communication channels that bypass corporate monitoring. Can reveal - membership in suspicious servers, external contact patterns, and potential - data exfiltration through gaming communication platforms. - - structure: | - Discord configuration includes user identifiers, server memberships, privacy - settings, notification preferences, and voice/video call configurations. - Authentication data shows account associations and login patterns for - comprehensive Discord usage analysis and communication behavior tracking. - - examples: - - "UserID: 123456789012345678 (Discord user identifier)" - - "Username: employee_username (Discord display name)" - - "AutoStart: 1 (Discord starts with Windows)" - - "MinimizeToTray: 1 (Minimize to system tray)" - - "EnableGameOverlay: 0 (Game overlay disabled)" - - "StreamNotifications: 1 (Stream notifications enabled)" - - "VoiceMode: PushToTalk (Voice activation method)" - - tools: - - name: "Discord Desktop Settings" - description: "Built-in Discord configuration and privacy controls" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Discord Server Audit Tools" - description: "Third-party tools for Discord server and user analysis" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Discord Desktop Client" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "behavioral-analysis" - - "timeline-analysis" - - tags: - - "discord" - - "gaming-communication" - - "informal-channels" - - "voice-chat" - - "screen-sharing" - - "community-platforms" - - references: - - title: "Discord Support Documentation" - url: "https://support.discord.com/" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "User preferences and server memberships persist across sessions" - volatility: "Communication activity provides ongoing behavioral intelligence" - - related_artifacts: - - "gaming_applications" - - "informal_communication" - - "voice_chat_history" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/communication/slack.yml b/artifacts/communication/slack.yml deleted file mode 100644 index 7a2fdd6..0000000 --- a/artifacts/communication/slack.yml +++ /dev/null @@ -1,98 +0,0 @@ -title: "Slack Desktop Application" -category: "communication" -description: "Slack workspace configuration, team memberships, and enterprise communication settings" - -paths: - - "HKCU\\Software\\Slack\\Teams" - - "HKLM\\SOFTWARE\\Slack Technologies\\Slack" - - "HKCU\\Software\\Slack Technologies Inc\\Slack" - - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\SlackTechnologies.Slack_4k3xh6g9q8ydm!App" - -details: - what: | - Slack Desktop Application manages workplace communication including channel - memberships, direct messaging, file sharing, and workspace integration. - Registry stores workspace configurations, user credentials, notification - settings, and team associations for comprehensive enterprise communication - platform with extensive third-party integration capabilities and collaboration features. - - forensic_value: | - Essential for investigating workplace communications, unauthorized workspace - access, data sharing through Slack channels, and evidence of internal - collaboration or conspiracy. Shows evidence of workspace memberships, external - Slack usage, file sharing activities, and potential data exfiltration through - Slack's extensive integration and file sharing capabilities. - - structure: | - Slack configuration includes workspace identifiers, team memberships, user - authentication, notification preferences, and integration settings. Workspace - data shows team domains, user roles, and access permissions for comprehensive - Slack usage analysis and workplace communication behavior tracking. - - examples: - - "Team: company-workspace.slack.com (Primary workspace)" - - "Team: external-partner.slack.com (External workspace access)" - - "UserID: U123456789 (Slack user identifier)" - - "Email: user@company.com (Associated email address)" - - "NotificationSound: 1 (Audio notifications enabled)" - - "AutoHideMenuBar: 0 (Menu bar always visible)" - - "ShowUnreadBadge: 1 (Unread message indicators enabled)" - - tools: - - name: "Slack Desktop Preferences" - description: "Built-in Slack configuration and workspace management" - - name: "Slack Enterprise Grid Admin" - description: "Enterprise Slack administration and audit capabilities" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - -metadata: - windows_versions: - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - introduced: "Slack Desktop Application" - - criticality: "medium" - - investigation_types: - - "insider-threat" - - "data-exfiltration" - - "behavioral-analysis" - - tags: - - "slack" - - "workplace-communication" - - "team-collaboration" - - "workspace-access" - - "enterprise-messaging" - - "file-sharing" - - references: - - title: "Slack Documentation" - url: "https://slack.com/help" - type: "official" - - retention: - default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" - persistence: "Workspace memberships and settings persist per user configuration" - volatility: "Workspace activity provides ongoing workplace communication intelligence" - - related_artifacts: - - "workplace_communication" - - "team_collaboration" - - "enterprise_messaging" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" diff --git a/artifacts/usb/device_capabilities.yml b/artifacts/external-storage/usb_device_capabilities.yml similarity index 62% rename from artifacts/usb/device_capabilities.yml rename to artifacts/external-storage/usb_device_capabilities.yml index 1425a2a..df37020 100644 --- a/artifacts/usb/device_capabilities.yml +++ b/artifacts/external-storage/usb_device_capabilities.yml @@ -1,6 +1,6 @@ title: "USB Device Capabilities and Properties" -category: "usb" -description: "USB device characteristics, capabilities, hardware properties, and identification data" +category: "external-storage" +description: "USB device hardware properties, capabilities, and identification data for connected devices" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB\\VID_*&PID_*" @@ -10,24 +10,19 @@ paths: details: what: | - Windows stores comprehensive USB device information including vendor/product IDs (VID/PID), - device capabilities, hardware characteristics, power requirements, supported features, - and device enumeration data. Tracks both storage and non-storage USB devices with - detailed technical specifications, driver associations, and compatibility information - for proper device enumeration and driver selection. + Windows stores USB device information including vendor/product IDs (VID/PID), device capabilities, + hardware characteristics, power requirements, and supported features. Tracks both storage and + non-storage USB devices with technical specifications and driver associations for device enumeration. forensic_value: | - Provides detailed device identification beyond basic vendor/product information. - Shows device capabilities that could indicate specialized hardware, covert devices, - modified USB devices, or devices specifically designed for data exfiltration or attacks. - Can identify USB weaponization attempts, reveal device modification, and track - sophisticated attack tools or surveillance equipment. + Identifies device capabilities beyond basic vendor information. Can reveal specialized hardware, + covert devices, modified USB devices, or attack tools designed for data exfiltration. Useful + for detecting USB weaponization attempts, device modification, and sophisticated surveillance equipment. structure: | - Device instance subkeys identified by VID (Vendor ID) and PID (Product ID) containing - Capabilities, DeviceDesc, HardwareID, CompatibleIDs, Service values, and configuration data. - Binary capability flags indicate supported features, power characteristics, and device classes. - ContainerID links related device interfaces and functions. + Device instance subkeys identified by VID (Vendor ID) and PID (Product ID) containing Capabilities, + DeviceDesc, HardwareID, CompatibleIDs, and Service values. Binary capability flags indicate supported + features and power characteristics. ContainerID links related device interfaces. examples: - "VID_0951&PID_1666: Kingston DataTraveler USB drive" @@ -56,6 +51,28 @@ details: - name: "USB Detective" description: "Specialized USB forensics tools for device identification and analysis" +limitations: + - "Device capability registration does NOT prove device was actively used for data transfer" + - "Hardware properties don't indicate what files were accessed or copied" + - "Device enumeration occurs during connection but doesn't prove malicious activity" + - "Capability flags may not reflect actual device usage or user actions" + - "Driver association doesn't indicate successful data operations" + - "Device presence doesn't prove data exfiltration or unauthorized access" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing actual file access or modification on USB device" + - "Event logs (Event ID 6416) showing volume mounting and access" + - "ShellBags showing user navigation to USB drive folders" + - "Recent documents referencing files from USB device" + - "Link files (.lnk) pointing to USB device locations" + + strengthens_evidence: + - "USB device connection timestamps from last write times" + - "Drive letter assignments showing device mounting" + - "Prefetch files showing execution of programs from USB device" + - "Network logs if USB device contained remote access tools" + metadata: windows_versions: - "Windows 98" @@ -75,12 +92,12 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows 98 (USB support)" - + introduced: "Windows 98" criticality: "medium" investigation_types: - "data-exfiltration" + - "initial-access" - "malware-analysis" - "incident-response" - "timeline-analysis" @@ -130,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/usb/device_history.yml b/artifacts/external-storage/usb_device_connection_history.yml similarity index 59% rename from artifacts/usb/device_history.yml rename to artifacts/external-storage/usb_device_connection_history.yml index aeface2..fc2a7a4 100644 --- a/artifacts/usb/device_history.yml +++ b/artifacts/external-storage/usb_device_connection_history.yml @@ -1,6 +1,6 @@ title: "USB Device Connection History" -category: "usb" -description: "Complete USB device connection tracking with vendor information, connection timestamps, and device enumeration history" +category: "external-storage" +description: "USB device connection tracking with vendor information, timestamps, and device enumeration history" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR" @@ -10,24 +10,19 @@ paths: details: what: | - Windows maintains comprehensive USB device connection history including all connected USB - storage devices, their vendor/product identifiers, serial numbers, connection timestamps, - device properties, and enumeration data. Tracks both current and historical USB device - connections with detailed hardware identification, driver associations, and device capabilities - for complete USB forensic analysis and device tracking. + Windows maintains USB device connection history including storage devices, vendor/product identifiers, + serial numbers, connection timestamps, and device properties. Tracks current and historical USB + device connections with hardware identification and driver associations. forensic_value: | - Essential for USB-based investigations including data exfiltration, malware delivery, - and unauthorized device usage. Provides complete history of USB devices connected to - the system, enabling identification of specific devices used for data theft, malware - introduction, or unauthorized access. Critical for establishing device usage timelines, - correlating USB activity with security incidents, and identifying recurring suspicious devices. + Shows complete history of USB devices connected to the system, enabling identification of specific + devices used in investigations. Critical for establishing device usage timelines, correlating USB + activity with security incidents, and identifying recurring suspicious devices. structure: | - USBSTOR contains storage device entries with vendor, product, version, and unique serial - numbers. USB enumeration tracks all USB devices including non-storage items. Portable - Devices manages device-specific settings and capabilities. EMDMgmt contains external - device management policies and ReadyBoost configuration for USB optimization and security. + USBSTOR contains storage device entries with vendor, product, version, and unique serial numbers. + USB enumeration tracks all USB devices including non-storage items. Portable Devices manages + device-specific settings. EMDMgmt contains external device management policies. examples: - "USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP\\001CC0EC336BD480&0" @@ -55,6 +50,28 @@ details: - name: "Device Manager (devmgmt.msc)" description: "Built-in Windows device management and USB device information" +limitations: + - "Device connection history does NOT prove files were accessed or transferred" + - "Connection timestamps don't indicate what data operations occurred" + - "Device presence doesn't prove malicious activity or data exfiltration" + - "Serial numbers can be spoofed or modified by specialized tools" + - "Connection records may include legitimate maintenance or antivirus scanning" + - "Multiple connections don't necessarily indicate repeated data theft" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing actual file access on USB device" + - "Event logs (Event ID 6416) showing volume mounting and file operations" + - "ShellBags showing user navigation to USB drive folders" + - "Recent documents or LNK files referencing USB device content" + - "Application logs showing file operations on external storage" + + strengthens_evidence: + - "Drive letter assignments correlating devices to file system activity" + - "Registry last write times providing precise connection timestamps" + - "Network logs if USB contained remote access tools or exfiltrated data" + - "Process execution logs if programs were launched from USB device" + metadata: windows_versions: - "Windows 2000" @@ -73,15 +90,15 @@ metadata: - "Windows Server 2022" introduced: "Windows 2000" - criticality: "high" investigation_types: - "data-exfiltration" - - "malware-analysis" + - "initial-access" - "insider-threat" - "timeline-analysis" - "incident-response" + - "malware-analysis" tags: - "usb" @@ -110,8 +127,8 @@ metadata: volatility: "Connection timestamps provide precise device usage correlation data" related_artifacts: - - "usb_device_capabilities" - - "drive_letter_mapping" + - "device_capabilities" + - "drive_letter_mapping" - "last_write_times" - "shellbags" - "recent_docs" @@ -123,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/usb/drive_letter_mapping.yml b/artifacts/external-storage/usb_drive_letter_mapping.yml similarity index 61% rename from artifacts/usb/drive_letter_mapping.yml rename to artifacts/external-storage/usb_drive_letter_mapping.yml index fa8be61..315893d 100644 --- a/artifacts/usb/drive_letter_mapping.yml +++ b/artifacts/external-storage/usb_drive_letter_mapping.yml @@ -1,5 +1,5 @@ title: "USB Drive Letter Assignments" -category: "usb" +category: "external-storage" description: "Drive letter mappings for USB storage devices with volume serial numbers and device correlation" paths: @@ -9,24 +9,19 @@ paths: details: what: | - Windows maintains persistent drive letter assignments for storage devices including USB drives, - external hard drives, and removable media. Correlates drive letters with device identifiers, - volume serial numbers, and hardware signatures to ensure consistent drive letter assignment - across multiple connection sessions. Manages mount point relationships and device recognition - for seamless user experience with removable storage devices. + Windows maintains drive letter assignments for storage devices including USB drives and removable media. + Correlates drive letters with device identifiers, volume serial numbers, and hardware signatures to + ensure consistent assignment across connection sessions. forensic_value: | - Critical for correlating USB device connections with file system artifacts, establishing - which specific USB device was assigned particular drive letters during file operations. - Essential for data exfiltration investigations, linking file access artifacts to specific - hardware devices, and establishing timeline correlations between device connections and - file transfer activities. Provides definitive evidence of which USB device accessed specific files. + Critical for correlating USB device connections with file system artifacts, establishing which specific + USB device was assigned particular drive letters during file operations. Essential for linking file + access artifacts to specific hardware devices and establishing timeline correlations. structure: | - Binary data structures linking drive letters (\\\\DosDevices\\\\C:) to device identifiers - and volume information. USB storage devices identified by unique signatures including - vendor ID, product ID, and serial numbers embedded in binary format. Mount Manager - maintains additional metadata for device mounting and unmounting operations. + Binary data structures linking drive letters (\\\\DosDevices\\\\C:) to device identifiers and volume + information. USB storage devices identified by unique signatures including vendor ID, product ID, + and serial numbers embedded in binary format. examples: - "\\\\DosDevices\\\\E:: USB#VID_0951&PID_1666#50E549C6E258F571&0 (Kingston DataTraveler)" @@ -51,6 +46,28 @@ details: - name: "Disk Management (diskmgmt.msc)" description: "Windows built-in drive and volume management interface" +limitations: + - "Drive letter assignment does NOT prove files were accessed from the device" + - "Mount point creation doesn't indicate actual file operations occurred" + - "Device mapping may persist after legitimate usage without indicating data theft" + - "Drive letter assignment can occur from antivirus scanning without user access" + - "Multiple assignments don't prove repeated unauthorized access" + - "Volume mounting doesn't indicate what files were viewed or copied" + +correlation: + required_for_definitive_access_proof: + - "File system artifacts showing actual file access or modification on USB device" + - "ShellBags showing user navigation to specific drive letters" + - "Recent documents or LNK files pointing to files on assigned drive letters" + - "Event logs (Event ID 6416) showing successful volume access" + - "Application logs showing file operations on the mounted drive" + + strengthens_evidence: + - "USB device connection history correlating to drive letter assignment times" + - "Registry last write times showing device mounting correlation" + - "Prefetch files showing execution of programs from specific drive letters" + - "Network logs if drive contained remote access tools or exfiltrated data" + metadata: windows_versions: - "Windows 2000" @@ -69,13 +86,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 2000" - criticality: "high" investigation_types: - "data-exfiltration" - "insider-threat" - "timeline-analysis" + - "incident-response" tags: - "usb" @@ -103,7 +120,7 @@ metadata: volatility: "Device mappings provide ongoing correlation data for USB device usage" related_artifacts: - - "usb_device_history" + - "device_history" - "device_capabilities" - "last_write_times" - "mounted_volumes" @@ -115,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/usb/last_write_times.yml b/artifacts/external-storage/usb_last_write_times.yml similarity index 61% rename from artifacts/usb/last_write_times.yml rename to artifacts/external-storage/usb_last_write_times.yml index 1e20b85..aab74a5 100644 --- a/artifacts/usb/last_write_times.yml +++ b/artifacts/external-storage/usb_last_write_times.yml @@ -1,5 +1,5 @@ title: "USB Device Last Write Times" -category: "usb" +category: "external-storage" description: "USB device connection timestamps from registry key last write times and device enumeration data" paths: @@ -9,24 +9,19 @@ paths: details: what: | - Registry key last write times provide precise timestamps indicating when USB storage devices - were last connected, enumerated, or had their configuration updated by the Windows Plug and Play - subsystem. These timestamps correlate directly with device connection events, driver installations, - and hardware configuration changes, offering forensic investigators exact timing information - for USB device interactions with the system. + Registry key last write times provide precise timestamps indicating when USB storage devices + were last connected, enumerated, or had their configuration updated by the Windows Plug and Play + subsystem. These timestamps correlate with device connection events and driver installations. forensic_value: | - Critical for establishing precise USB device connection timelines in data exfiltration investigations, - insider threat cases, and malware delivery scenarios. Provides exact timestamps for when specific - USB devices were connected, enabling correlation with file access logs, user activity, and security - events. Essential for proving temporal relationships between device connections and suspicious - file operations, establishing evidence chains, and timeline reconstruction in digital forensics. + Critical for establishing precise USB device connection timelines in data exfiltration investigations. + Provides exact timestamps for when specific USB devices were connected, enabling correlation with + file access logs, user activity, and security events for timeline reconstruction. structure: | - Registry key timestamps stored in NTFS metadata as FILETIME structures (64-bit values representing - 100-nanosecond intervals since January 1, 1601 UTC). Each USB device subkey's last write time - indicates most recent connection or configuration change. Device enumeration hierarchy preserves - connection chronology with vendor ID, product ID, and serial number correlation. + Registry key timestamps stored as FILETIME structures (64-bit values representing 100-nanosecond + intervals since January 1, 1601 UTC). Each USB device subkey's last write time indicates most + recent connection or configuration change with vendor ID, product ID, and serial number correlation. examples: - "Device Key: USBSTOR\\\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_PMAP" @@ -51,6 +46,28 @@ details: - name: "Windows Event Log Correlation Tools" description: "Correlate registry timestamps with Windows Event Log entries" +limitations: + - "Last write times do NOT prove files were accessed or transferred from device" + - "Registry timestamps show device enumeration, not actual usage or data operations" + - "Connection events may be from antivirus scanning or system maintenance" + - "Multiple timestamps don't necessarily indicate repeated data theft" + - "Device enumeration can occur without user interaction or file access" + - "Registry modification may be from driver updates or configuration changes" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing actual file access during connection times" + - "Event logs (Event ID 6416) showing volume mounting and file operations" + - "ShellBags showing user navigation to USB device during connection window" + - "Recent documents or LNK files with timestamps matching connection periods" + - "Application logs showing file operations during device connection times" + + strengthens_evidence: + - "Drive letter assignment correlating to connection timestamps" + - "User activity logs showing logon/activity during device connection" + - "Network logs if USB contained remote access tools used during connection" + - "Process execution logs showing programs launched during USB connection window" + metadata: windows_versions: - "Windows XP" @@ -68,13 +85,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: - "timeline-analysis" - "data-exfiltration" - "insider-threat" + - "incident-response" tags: - "usb" @@ -102,7 +119,7 @@ metadata: volatility: "Provides precise temporal correlation for USB device usage patterns" related_artifacts: - - "usb_device_history" + - "device_history" - "drive_letter_mapping" - "device_capabilities" - "hardware_devices" @@ -114,5 +131,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/usb/wpdbusenum_connections.yml b/artifacts/external-storage/wpdbusenum_connections.yml similarity index 63% rename from artifacts/usb/wpdbusenum_connections.yml rename to artifacts/external-storage/wpdbusenum_connections.yml index e2b6ab8..d9f6986 100644 --- a/artifacts/usb/wpdbusenum_connections.yml +++ b/artifacts/external-storage/wpdbusenum_connections.yml @@ -1,6 +1,6 @@ title: "WPDBUSENUM Portable Device Connections" -category: "usb" -description: "Windows Portable Device Bus Enumerator tracking for mobile phones, cameras, media players, and other portable devices" +category: "external-storage" +description: "Windows Portable Device Bus Enumerator tracking for mobile phones, cameras, and media players" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM" @@ -9,24 +9,19 @@ paths: details: what: | - Windows Portable Device Bus Enumerator (WPDBUSENUM) tracks connections of portable devices including - smartphones, digital cameras, media players, tablets, and other MTP/PTP devices that don't appear - as traditional storage devices. Manages device enumeration, driver associations, and connection - metadata for portable devices that use Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) - for advanced device interaction and media synchronization. + Windows Portable Device Bus Enumerator (WPDBUSENUM) tracks connections of portable devices including + smartphones, digital cameras, media players, and tablets that use Media Transfer Protocol (MTP) or + Picture Transfer Protocol (PTP) rather than appearing as traditional storage devices. forensic_value: | - Critical for mobile device forensics and investigations involving smartphones, tablets, and digital - cameras. Shows evidence of mobile device connections that could indicate data transfer, photo/video - extraction, or mobile device exploitation. Essential for cases involving mobile-based evidence, - BYOD policy violations, unauthorized device connections, and mobile-to-PC data transfer activities. - Can reveal connections even when devices don't mount as traditional drives. + Critical for mobile device forensics and investigations involving smartphones, tablets, and digital + cameras. Shows evidence of mobile device connections that could indicate data transfer, photo/video + extraction, or mobile device exploitation even when devices don't mount as traditional drives. structure: | - Device entries organized under WPDBUSENUM with unique device identifiers containing DeviceDesc - (device description), HardwareID (vendor/product identification), Service (driver association), - ContainerID (device grouping), and connection metadata. Each device maintains enumeration data, - capabilities information, and driver binding details for comprehensive portable device tracking. + Device entries organized under WPDBUSENUM with unique device identifiers containing DeviceDesc, + HardwareID, Service, ContainerID, and connection metadata. Each device maintains enumeration data, + capabilities information, and driver binding details. examples: - "WPDBUSENUM\\\\{12345678-1234-5678-9abc-123456789abc}\\\\0000: iPhone connection" @@ -52,6 +47,28 @@ details: - name: "Mobile Device Forensics Tools" description: "Specialized forensic utilities for mobile device connection analysis" +limitations: + - "Device enumeration does NOT prove files were transferred to or from the device" + - "Connection records don't indicate what data operations occurred" + - "MTP/PTP device presence doesn't prove unauthorized data access" + - "Device capabilities registration may be from legitimate sync or charging" + - "Portable device connection doesn't indicate successful data extraction" + - "Driver association may occur without actual file transfer operations" + +correlation: + required_for_definitive_access_proof: + - "File system artifacts showing files transferred from portable device" + - "Application logs showing successful MTP/PTP data operations" + - "Recent documents or photos with metadata indicating portable device origin" + - "Event logs showing successful device authentication and data access" + - "Network logs if device was used for internet access or cloud synchronization" + + strengthens_evidence: + - "Registry timestamps correlating device connection to file transfer times" + - "Photo/video files with EXIF data matching connected camera or phone" + - "USB connection logs showing physical device attachment" + - "User activity logs showing interaction during device connection periods" + metadata: windows_versions: - "Windows Vista" @@ -67,11 +84,11 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: - "data-exfiltration" + - "initial-access" - "insider-threat" - "timeline-analysis" - "incident-response" @@ -104,7 +121,7 @@ metadata: volatility: "Connection data provides evidence of mobile device interactions and data transfer" related_artifacts: - - "usb_device_history" + - "device_history" - "device_capabilities" - "hardware_devices" - "drive_letter_mapping" @@ -116,5 +133,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/file_history_backup.yml b/artifacts/file-operations/file_history_backup.yml similarity index 62% rename from artifacts/system/file_history_backup.yml rename to artifacts/file-operations/file_history_backup.yml index ec1368e..21d08b5 100644 --- a/artifacts/system/file_history_backup.yml +++ b/artifacts/file-operations/file_history_backup.yml @@ -1,5 +1,5 @@ title: "File History and Backup System Configuration" -category: "system" +category: "file-operations" description: "File History backup settings, backup destinations, excluded folders, and automated backup policies" paths: @@ -10,23 +10,21 @@ paths: details: what: | - Windows File History service provides automated backup and versioning for user files, - documents, pictures, music, and desktop contents. Configuration includes backup destinations, - inclusion/exclusion rules, backup frequency, retention policies, and network backup - locations for comprehensive data protection and file recovery capabilities. + Windows File History service provides automated backup and versioning for user files, documents, + pictures, music, and desktop contents. Configuration includes backup destinations, inclusion/exclusion + rules, backup frequency, retention policies, and network backup locations for comprehensive + data protection and file recovery. forensic_value: | - Critical for data recovery investigations, timeline reconstruction using historical file - versions, and detecting attempts to hide evidence through file deletion. File History - configuration reveals backup locations that may contain deleted evidence, shows user - data protection awareness, and indicates potential evidence preservation or destruction - attempts. Essential for recovering deleted files and establishing file modification timelines. + Critical for data recovery investigations, timeline reconstruction using historical file versions, + and detecting attempts to hide evidence through file deletion. File History configuration reveals + backup locations that may contain deleted evidence and shows user data protection awareness. structure: | - File History configuration includes TargetUrl (backup destination), LocalUserConfigPath - (configuration location), ProtectedFolders (included directories), ExcludedFolders (excluded - directories), and backup frequency settings. Policy configurations control enterprise - backup enforcement, retention periods, and administrative backup management restrictions. + File History configuration includes TargetUrl (backup destination), LocalUserConfigPath + (configuration location), ProtectedFolders (included directories), ExcludedFolders (excluded + directories), and backup frequency settings. Policy configurations control enterprise backup + enforcement and retention periods. examples: - "TargetUrl: D:\\FileHistory (Local drive backup destination)" @@ -51,6 +49,28 @@ details: - name: "Backup and Restore Analysis Tools" description: "Third-party utilities for backup configuration analysis" +limitations: + - "File History configuration does NOT prove backup operations actually occurred" + - "Backup destination settings don't indicate successful file backup completion" + - "Retention policies don't prove historical file versions are available" + - "Backup frequency settings don't indicate actual backup execution success" + - "Configuration status may show enabled but backups could be failing" + - "Excluded folder settings don't prove files were intentionally hidden from backup" + +correlation: + required_for_definitive_backup_proof: + - "Actual File History backup files and folders at configured destinations" + - "Event logs showing File History service execution and backup operations" + - "File system artifacts showing backup destination activity and file transfers" + - "Registry changes showing File History configuration during backup periods" + - "Process execution logs showing File History service running during backup times" + + strengthens_evidence: + - "File modification times in backup directories correlating with configuration settings" + - "Network logs showing backup traffic to configured network destinations" + - "Registry changes showing File History status updates during backup operations" + - "Event logs showing backup success or failure events" + metadata: windows_versions: - "Windows 8" @@ -59,7 +79,6 @@ metadata: - "Windows 11" introduced: "Windows 8" - criticality: "high" investigation_types: @@ -68,7 +87,6 @@ metadata: - "incident-response" tags: - - "system" - "file-history" - "backup" - "data-recovery" @@ -106,5 +124,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/user-activity/lastvisited_pidl_mru.yml b/artifacts/file-operations/last_visited_folder_pidl_mru.yml similarity index 64% rename from artifacts/user-activity/lastvisited_pidl_mru.yml rename to artifacts/file-operations/last_visited_folder_pidl_mru.yml index ee2353f..9629e53 100644 --- a/artifacts/user-activity/lastvisited_pidl_mru.yml +++ b/artifacts/file-operations/last_visited_folder_pidl_mru.yml @@ -1,6 +1,6 @@ title: "Last Visited Folder MRU (PidlMRU)" -category: "user-activity" -description: "Last visited folders in file dialogs with executable name associations and application correlation" +category: "file-operations" +description: "Last visited folders in file dialogs with executable name associations" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU" @@ -8,25 +8,20 @@ paths: details: what: | - Windows tracks the last visited folders when applications use standard file - dialog boxes, along with the executable name that opened each folder location. - Shows detailed folder navigation patterns, application-specific file access, - and correlates specific programs with folder locations they accessed. Maintains - chronological order of folder visits with associated application context. + Windows tracks the last visited folders when applications use standard file dialog boxes, + along with the executable name that opened each folder location. Shows detailed folder + navigation patterns and application-specific file access in chronological order. forensic_value: | - Links specific applications to folder locations they accessed, shows user - navigation patterns, reveals attempts to access restricted areas, and can - indicate data staging, reconnaissance activities, or exfiltration preparation. - Critical for proving application-specific folder access and understanding - user behavior patterns across different software applications. + Links specific applications to folder locations they accessed, showing user navigation + patterns and attempts to access restricted areas. Can indicate data staging, reconnaissance + activities, or exfiltration preparation. Critical for proving application-specific folder + access and understanding user behavior patterns. structure: | - Sequential entries containing executable name followed by folder path data - in binary PIDL (Pointer to Item IDentifier List) format. MRUListEx shows - access order with most recent first. Each entry links a specific program - to the folder location it accessed, providing application context for - folder navigation activities. + Sequential entries containing executable name followed by folder path data in binary PIDL + (Pointer to Item IDentifier List) format. MRUListEx shows access order with most recent + first. Each entry links a specific program to the folder location it accessed. examples: - "Entry 0: notepad.exe -> C:\\Users\\user\\Documents\\Sensitive" @@ -53,6 +48,28 @@ details: - name: "MRU Analysis Toolkit" description: "Comprehensive MRU analysis tools including LastVisited parsing" +limitations: + - "Folder visits do NOT prove files were accessed, opened, or modified" + - "Application association doesn't indicate successful file operations" + - "PIDL entries may reflect browsing without file selection or interaction" + - "Folder access doesn't show duration of stay or specific files viewed" + - "Executable names can be spoofed or renamed to hide actual program identity" + - "Network folder entries don't prove successful authentication or file access" + - "MRU order doesn't indicate frequency or importance of folder usage" + +correlation: + required_for_definitive_file_access_proof: + - "File system access logs showing actual file operations in visited folders" + - "Application event logs showing successful file opening and editing" + - "Process execution logs confirming applications performed file operations" + - "File modification timestamps correlating with folder visit times" + + strengthens_evidence: + - "OpenSaveMRU entries showing specific files accessed in these folders" + - "Recent documents showing files from folders visited by applications" + - "ShellBags data showing detailed folder navigation and file interaction" + - "Jump Lists showing application usage correlating with folder access patterns" + metadata: windows_versions: - "Windows XP" @@ -70,7 +87,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: @@ -124,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/notepad_plus_plus.yml b/artifacts/file-operations/notepad_plus_plus.yml similarity index 54% rename from artifacts/user-activity/notepad_plus_plus.yml rename to artifacts/file-operations/notepad_plus_plus.yml index fae1581..77b55ed 100644 --- a/artifacts/user-activity/notepad_plus_plus.yml +++ b/artifacts/file-operations/notepad_plus_plus.yml @@ -1,5 +1,5 @@ title: "Notepad++ Text Editor Usage and File History" -category: "user-activity" +category: "file-operations" description: "Notepad++ configuration, recent files, session data, and plugin usage" paths: @@ -9,24 +9,20 @@ paths: details: what: | - Notepad++ text editor stores configuration including recent file lists, session - data, plugin configurations, and editing preferences. Registry tracks document - access patterns, programming language usage, find/replace history, and workspace - settings for comprehensive text editing activity analysis and development - work pattern tracking in programming and text manipulation activities. + Notepad++ text editor stores configuration including recent file lists, session data, + plugin configurations, and editing preferences. Registry tracks document access patterns, + programming language usage, and workspace settings for text editing activity analysis. forensic_value: | - Important for investigating source code access, configuration file modifications, - script development, and text-based evidence manipulation. Shows evidence of - programming activity, configuration file editing, document modification patterns, - and can reveal development work, system administration activities, or evidence - of script-based attacks and system configuration changes. + Important for investigating source code access, configuration file modifications, and + script development. Shows evidence of programming activity, configuration file editing, + and document modification patterns. Can reveal development work, system administration + activities, or evidence of script-based attacks. structure: | - Notepad++ configuration includes recent file paths, session restoration data, - language syntax settings, plugin configurations, and find/replace history. - File history shows accessed documents, editing sessions, and workspace - configurations for comprehensive text editing behavior analysis. + Notepad++ configuration includes recent file paths, session restoration data, language + syntax settings, plugin configurations, and find/replace history. File history shows + accessed documents and editing sessions for comprehensive text editing behavior analysis. examples: - "RecentFiles: C:\\Scripts\\malware_payload.py" @@ -46,6 +42,28 @@ details: - name: "Text Editor Forensics Tools" description: "Specialized tools for text editor history and session analysis" +limitations: + - "Recent file lists do NOT prove files were actually edited or modified" + - "Session data doesn't indicate successful file saving or content changes" + - "Find/replace history doesn't show operations were successfully executed" + - "File paths may reference non-existent or inaccessible files" + - "Recent files don't indicate duration of editing or extent of modifications" + - "Plugin configurations don't show plugins were actively used" + - "Language settings don't prove programming or scripting activity occurred" + +correlation: + required_for_definitive_editing_proof: + - "File system timestamps showing actual file modifications during Notepad++ usage" + - "Process execution logs showing Notepad++ application startup and activity" + - "File content analysis showing changes consistent with text editing" + - "Application event logs showing successful file opening and saving operations" + + strengthens_evidence: + - "Recent documents showing text files accessed outside of Notepad++" + - "Registry keys or system files modified correlating with configuration editing" + - "Backup files or version history showing progressive file modifications" + - "Network activity logs correlating with script execution or file transfers" + metadata: windows_versions: - "Windows 2000" @@ -58,7 +76,6 @@ metadata: - "Windows 11" introduced: "Notepad++" - criticality: "medium" investigation_types: @@ -96,5 +113,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/office_files.yml b/artifacts/file-operations/office_files.yml similarity index 64% rename from artifacts/user-activity/office_files.yml rename to artifacts/file-operations/office_files.yml index a9dbd0e..c6b8383 100644 --- a/artifacts/user-activity/office_files.yml +++ b/artifacts/file-operations/office_files.yml @@ -1,6 +1,6 @@ title: "Microsoft Office Recent Files" -category: "user-activity" -description: "Recently accessed Microsoft Office documents with access timestamps, locations, and usage patterns" +category: "file-operations" +description: "Recently accessed Microsoft Office documents with access timestamps and locations" paths: - "HKCU\\Software\\Microsoft\\Office\\*\\*\\File MRU" @@ -10,24 +10,22 @@ paths: details: what: | - Microsoft Office applications track recently opened documents, file locations, - access patterns, and trusted document settings for quick reopening and security. - Stores file paths, network locations, SharePoint URLs, OneDrive sync paths, - and document access history across Word, Excel, PowerPoint, Access, and other - Office applications. Includes both local and cloud-based document access tracking. + Microsoft Office applications track recently opened documents, file locations, and access + patterns across Word, Excel, PowerPoint, Access, and other Office applications. Includes + both local and cloud-based document access tracking with file paths, network locations, + SharePoint URLs, and OneDrive sync paths. forensic_value: | - Reveals what documents users have been working on, shows access to sensitive files, - can indicate data theft, unauthorized document access, or intellectual property - violations. Critical for investigations involving document tampering, data exfiltration, - corporate espionage, and unauthorized access to confidential information. Shows - collaboration patterns and document sharing activities. + Reveals what documents users have been working on and shows access to sensitive files. + Can indicate data theft, unauthorized document access, or intellectual property violations. + Critical for investigations involving document tampering, data exfiltration, corporate espionage, + and unauthorized access to confidential information. structure: | Version-specific subkeys (16.0 for Office 2016/2019/365, 15.0 for Office 2013, etc.) - containing application-specific MRU lists. Item values contain full file paths, - network locations, SharePoint URLs, and cloud storage paths. Binary data includes - access timestamps, document metadata, and security trust settings. + containing application-specific MRU lists. Item values contain full file paths, network + locations, SharePoint URLs, and cloud storage paths. Binary data includes access timestamps + and document metadata. examples: - "Word Item 1: C:\\Users\\user\\Documents\\Financial_Report_Q4.docx" @@ -55,6 +53,28 @@ details: - name: "OfficeFileAnalyzer" description: "Tools for correlating Office file access with document metadata" +limitations: + - "Recent file lists do NOT prove documents were actually edited or modified" + - "File paths don't indicate successful document opening or content access" + - "Network locations don't prove successful authentication or file retrieval" + - "SharePoint URLs don't show document was downloaded or edited locally" + - "Trusted document settings don't indicate macros were executed" + - "Access timestamps may reflect failed opening attempts or preview actions" + - "Cloud storage paths don't prove synchronization or actual document access" + +correlation: + required_for_definitive_access_proof: + - "File system timestamps showing actual document modifications or access" + - "Office application event logs showing successful document opening and editing" + - "Process execution logs showing Office applications performing file operations" + - "Document metadata showing modification history and author information" + + strengthens_evidence: + - "Recent documents registry entries showing document access across multiple applications" + - "Jump Lists showing Office application usage correlating with document access" + - "OpenSaveMRU entries showing file operations in locations matching Office MRU" + - "Thumbnail cache entries showing document previews and visual content" + metadata: windows_versions: - "Windows XP" @@ -72,7 +92,6 @@ metadata: - "Windows Server 2022" introduced: "Office 97 (basic MRU), enhanced in Office 2007+" - criticality: "high" investigation_types: @@ -128,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/opensavemru.yml b/artifacts/file-operations/open_save_mru.yml similarity index 71% rename from artifacts/user-activity/opensavemru.yml rename to artifacts/file-operations/open_save_mru.yml index 62e8e52..c648d34 100644 --- a/artifacts/user-activity/opensavemru.yml +++ b/artifacts/file-operations/open_save_mru.yml @@ -1,5 +1,5 @@ title: "Open and Save Dialog MRU History" -category: "user-activity" +category: "file-operations" description: "Recently opened and saved files through Windows common dialog boxes with file type organization" paths: @@ -11,21 +11,19 @@ details: Windows tracks files and folders accessed through standard Open and Save dialog boxes used by most Windows applications. Maintains separate lists organized by file extension and includes folder navigation history within dialogs. Captures user file interaction - patterns across applications, showing what files were opened, saved, or accessed through - standard Windows file dialogs regardless of the specific application used. + patterns across applications regardless of the specific application used. forensic_value: | - Reveals comprehensive user file access patterns, document locations, network share usage, + Reveals comprehensive user file access patterns, document locations, network share usage, and specific files opened for editing, viewing, or saving. Shows evidence of data access, - document tampering, unauthorized file operations, and can indicate data staging for - exfiltration. Critical for proving user interaction with specific files and understanding - work patterns across multiple applications. + document tampering, unauthorized file operations, and can indicate data staging for + exfiltration. Critical for proving user interaction with specific files. structure: | - Organized by file extensions (*.*, txt, pdf, docx, etc.) with MRUListEx showing - access order within each category. Binary data contains full file paths, folder locations, - and shell item lists. OpenSavePidlMRU uses PIDL format for richer location data including - network paths, special folders, and metadata. Each extension maintains separate access history. + Organized by file extensions (*.*, txt, pdf, docx, etc.) with MRUListEx showing access + order within each category. Binary data contains full file paths, folder locations, and + shell item lists. OpenSavePidlMRU uses PIDL format for richer location data including + network paths and special folders. examples: - "Extension: *.*\\0: C:\\Users\\user\\Documents\\confidential.pdf" @@ -52,6 +50,28 @@ details: url: "https://www.nirsoft.net/utils/computer_activity_view.html" description: "Comprehensive activity viewer including file dialog history" +limitations: + - "Dialog history does NOT prove files were actually opened, edited, or saved" + - "File paths don't indicate successful file operations or content access" + - "Network locations don't prove successful authentication or file retrieval" + - "MRU entries may reflect browsing or failed file operations" + - "Extension-based organization doesn't show actual file content or type" + - "Dialog usage doesn't indicate duration of file interaction or editing" + - "PIDL data may reference non-existent or moved files" + +correlation: + required_for_definitive_file_access_proof: + - "File system timestamps showing actual file modifications or access" + - "Application event logs showing successful file opening and editing operations" + - "Process execution logs showing applications performing file operations" + - "File content analysis showing changes consistent with user interaction" + + strengthens_evidence: + - "Recent documents showing files accessed through these dialog boxes" + - "LastVisitedPidlMRU showing folder navigation correlating with file access" + - "Office MRU entries showing document access patterns matching OpenSave history" + - "Jump Lists showing application usage correlating with file dialog interactions" + metadata: windows_versions: - "Windows 95" @@ -74,7 +94,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "high" investigation_types: @@ -129,5 +148,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/print_history.yml b/artifacts/file-operations/print_history.yml similarity index 61% rename from artifacts/user-activity/print_history.yml rename to artifacts/file-operations/print_history.yml index ac6c965..c8ea351 100644 --- a/artifacts/user-activity/print_history.yml +++ b/artifacts/file-operations/print_history.yml @@ -1,6 +1,6 @@ title: "Print Spooler and Printer History" -category: "user-activity" -description: "Printer configuration, print job evidence, document printing history, and network printer access" +category: "file-operations" +description: "Printer configuration, print job evidence, and document printing history" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Printers" @@ -11,24 +11,21 @@ paths: details: what: | Windows print subsystem maintains comprehensive printer configurations including installed - printers, network printer connections, print settings, driver information, user-specific - printer preferences, print processor configurations, and evidence of print job activity. - Manages local and network printer access, document printing patterns, and print spooler - service behavior for complete printing infrastructure management. + printers, network printer connections, print settings, driver information, and user-specific + printer preferences. Manages local and network printer access and print spooler service + behavior for complete printing infrastructure management. forensic_value: | - Critical for investigating data exfiltration through physical document printing, intellectual - property theft, and unauthorized document access. Shows what documents were printed, which - printers were accessed, network printer usage patterns, and potential evidence of sensitive - information being transferred to hard copy format. Essential for insider threat investigations - involving document theft and corporate espionage through print channels. + Critical for investigating data exfiltration through physical document printing and + intellectual property theft. Shows what documents were printed, which printers were accessed, + and network printer usage patterns. Essential for insider threat investigations involving + document theft and corporate espionage through print channels. structure: | Printer configurations stored as printer name subkeys containing driver information, port - assignments, device settings, security descriptors, and print processor details. User - settings include default printer selections, device modes for specific print configurations, - and printer-specific preferences. Network printer connections show authentication and - access patterns with connection timestamps and usage statistics. + assignments, device settings, and security descriptors. User settings include default + printer selections and device modes. Network printer connections show authentication + and access patterns with connection timestamps. examples: - "Printers\\HP LaserJet Pro M404: Local printer configuration" @@ -53,6 +50,28 @@ details: - name: "PrinterLogView" description: "Utilities for analyzing Windows print spooler logs and history" +limitations: + - "Printer configuration does NOT prove documents were actually printed" + - "Installed printer drivers don't indicate successful print job completion" + - "Network printer connections don't show actual document output" + - "Default printer settings don't prove printer usage or document access" + - "Print processor configurations don't indicate successful print operations" + - "Device modes don't show actual printing activity or document content" + - "Security descriptors don't prove print job authorization or access" + +correlation: + required_for_definitive_printing_proof: + - "Print spooler logs showing actual print job processing and completion" + - "Windows Event Logs showing document printing events and printer access" + - "Process execution logs showing applications performing print operations" + - "Network traffic logs showing print job data transmission to network printers" + + strengthens_evidence: + - "Recent documents showing files that correlate with printer access patterns" + - "Application event logs showing document opening preceding printer usage" + - "File system artifacts showing temporary print files or spooled documents" + - "Registry keys modified during print job processing" + metadata: windows_versions: - "Windows NT" @@ -73,12 +92,12 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "medium" investigation_types: - "insider-threat" - "data-exfiltration" + - "behavioral-analysis" tags: - "printing" @@ -115,5 +134,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/recent_docs.yml b/artifacts/file-operations/recent_docs.yml similarity index 65% rename from artifacts/user-activity/recent_docs.yml rename to artifacts/file-operations/recent_docs.yml index 1238fca..6c73bce 100644 --- a/artifacts/user-activity/recent_docs.yml +++ b/artifacts/file-operations/recent_docs.yml @@ -1,5 +1,5 @@ title: "Recent Documents Access History" -category: "user-activity" +category: "file-operations" description: "Recently accessed documents and files with access order tracking and metadata" paths: @@ -8,24 +8,22 @@ paths: details: what: | - Windows tracks recently accessed documents and files to populate recent items - in applications, Start menu, and taskbar jump lists. Stores file paths, access order, - file metadata, and shell link information for quick user access. Maintains separate - tracking for different file types and includes both local and network file access. - Data includes PIDL (Pointer to Item IDentifier List) information for comprehensive tracking. + Windows tracks recently accessed documents and files to populate recent items in applications, + Start menu, and taskbar jump lists. Stores file paths, access order, file metadata, and + shell link information. Maintains separate tracking for different file types and includes + both local and network file access. forensic_value: | - Shows what files a user has recently opened, indicating work patterns, data access, - and potential data exfiltration activities. Can reveal sensitive documents accessed, - unauthorized file access, evidence of specific work activities, or attempts to access - restricted information. Critical for intellectual property theft investigations and - user behavior analysis. + Shows what files a user has recently opened, indicating work patterns, data access, and + potential data exfiltration activities. Can reveal sensitive documents accessed, unauthorized + file access, and evidence of specific work activities. Critical for intellectual property + theft investigations and user behavior analysis. structure: | - Binary data containing file paths, shell link information, and access metadata. - MRUListEx value shows access order with most recent first (0-based indexing). - File extensions get separate subkeys for organization. Data includes full file paths, - network locations, and associated metadata stored in shell item format. + Binary data containing file paths, shell link information, and access metadata. MRUListEx + value shows access order with most recent first (0-based indexing). File extensions get + separate subkeys for organization. Data includes full file paths, network locations, and + associated metadata stored in shell item format. examples: - "Extension: .pdf - C:\\Users\\user\\Documents\\financial_report.pdf" @@ -53,6 +51,28 @@ details: url: "https://www.nirsoft.net/utils/recent_files_view.html" description: "NirSoft tool for viewing recently opened files from multiple sources" +limitations: + - "Recent document entries do NOT prove files were actually opened or viewed" + - "File paths don't indicate successful file access or content viewing" + - "Access order doesn't show duration of file interaction or editing" + - "Network file entries don't prove successful authentication or download" + - "Recent docs don't indicate what operations were performed on files" + - "Metadata doesn't show file content was accessed or modified" + - "Shell link information may reference non-existent or moved files" + +correlation: + required_for_definitive_file_access_proof: + - "File system timestamps showing actual file modifications or access" + - "Application event logs showing successful document opening and editing" + - "Process execution logs showing applications performing file operations" + - "File content analysis showing user interaction or modification" + + strengthens_evidence: + - "OpenSaveMRU entries showing file operations in applications" + - "Office MRU entries showing document access patterns" + - "Jump Lists showing application usage correlating with document access" + - "ShellBags showing folder navigation to document locations" + metadata: windows_versions: - "Windows 98" @@ -73,7 +93,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 98" - criticality: "high" investigation_types: @@ -128,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/seven_zip.yml b/artifacts/file-operations/seven_zip.yml similarity index 53% rename from artifacts/user-activity/seven_zip.yml rename to artifacts/file-operations/seven_zip.yml index 1d17d51..547594b 100644 --- a/artifacts/user-activity/seven_zip.yml +++ b/artifacts/file-operations/seven_zip.yml @@ -1,5 +1,5 @@ title: "7-Zip Archive Tool Usage" -category: "user-activity" +category: "file-operations" description: "7-Zip configuration, archive history, compression settings, and file handling preferences" paths: @@ -10,24 +10,22 @@ paths: details: what: | - 7-Zip archive utility stores configuration including compression settings, file - associations, context menu integration, and archive handling preferences. - Registry tracks archive creation/extraction activity, compression algorithms, - password usage, and interface customizations for comprehensive archive tool - usage analysis and file compression behavior tracking. + 7-Zip archive utility stores configuration including compression settings, file associations, + context menu integration, and archive handling preferences. Registry tracks archive creation/ + extraction activity, compression algorithms, password usage, and interface customizations + for comprehensive archive tool usage analysis. forensic_value: | - Critical for investigating data packaging for exfiltration, evidence destruction - through compression, password-protected archive creation, and file transfer - preparation. Shows evidence of archive manipulation, compression activities, - and can indicate data theft preparation, evidence concealment, or file - organization for unauthorized distribution through compressed archive usage. + Critical for investigating data packaging for exfiltration, evidence destruction through + compression, password-protected archive creation, and file transfer preparation. Shows + evidence of archive manipulation, compression activities, and can indicate data theft + preparation or evidence concealment through compressed archive usage. structure: | - 7-Zip configuration includes compression level preferences, archive format - settings, password protection usage, context menu integration, and file - association data. Archive history shows processed files, compression ratios, - and extraction activities for comprehensive archive tool behavior analysis. + 7-Zip configuration includes compression level preferences, archive format settings, + password protection usage, context menu integration, and file association data. Archive + history shows processed files, compression ratios, and extraction activities for + comprehensive archive tool behavior analysis. examples: - "InstallPath: C:\\Program Files\\7-Zip" @@ -48,6 +46,28 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "7-Zip configuration does NOT prove archives were actually created or extracted" + - "File associations don't indicate archive files were opened or processed" + - "Compression settings don't show actual compression operations occurred" + - "Context menu integration doesn't prove right-click operations were used" + - "Encryption method settings don't indicate password-protected archives were created" + - "Installation path doesn't show 7-Zip was actively used for file operations" + - "Format preferences don't prove specific archive types were created" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing created or extracted archive files" + - "Process execution logs showing 7-Zip application startup and activity" + - "Temporary files showing archive processing operations" + - "Event logs showing file operations correlating with archive activity" + + strengthens_evidence: + - "Recent documents showing archive files accessed through 7-Zip" + - "Registry keys modified during archive operations" + - "File system timestamps showing archive creation/extraction times" + - "Command-line history showing 7z.exe usage" + metadata: windows_versions: - "Windows 95" @@ -62,13 +82,13 @@ metadata: - "Windows 11" introduced: "7-Zip" - criticality: "medium" investigation_types: - "data-exfiltration" - "behavioral-analysis" - "incident-response" + - "anti-forensics" tags: - "7-zip" @@ -101,5 +121,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/shellbags.yml b/artifacts/file-operations/shellbags.yml similarity index 64% rename from artifacts/user-activity/shellbags.yml rename to artifacts/file-operations/shellbags.yml index 4251488..2d0f389 100644 --- a/artifacts/user-activity/shellbags.yml +++ b/artifacts/file-operations/shellbags.yml @@ -1,5 +1,5 @@ title: "ShellBags Explorer Navigation History" -category: "user-activity" +category: "file-operations" description: "Windows Explorer folder navigation history and view preferences with deleted folder evidence" paths: @@ -11,23 +11,22 @@ paths: details: what: | - ShellBags track Windows Explorer navigation history, folder view preferences, - window positions, column sorting options, and folder access patterns. Records evidence - of folders accessed even if they no longer exist on the system. Stores metadata about - folder structures, view settings, and user interaction patterns with the file system. + ShellBags track Windows Explorer navigation history, folder view preferences, window + positions, column sorting options, and folder access patterns. Records evidence of folders + accessed even if they no longer exist on the system. Stores metadata about folder structures + and user interaction patterns with the file system. forensic_value: | - Proves user accessed specific folders, shows folder structure of deleted - directories, reveals navigation patterns, and provides evidence of external - storage device usage. Critical for proving folder access and user activity. - Can reveal access to sensitive directories, network shares, and removable media. - Essential for timeline reconstruction and user behavior analysis. + Proves user accessed specific folders, shows folder structure of deleted directories, reveals + navigation patterns, and provides evidence of external storage device usage. Critical for + proving folder access and user activity. Can reveal access to sensitive directories, network + shares, and removable media. Essential for timeline reconstruction. structure: | - Hierarchical folder structure with numbered bag entries containing view - preferences, access timestamps, and folder properties. BagMRU maintains - most recently used folder list with PIDL (Pointer to Item IDentifier List) data. - Each bag contains window size, view mode, column widths, and sorting preferences. + Hierarchical folder structure with numbered bag entries containing view preferences, + access timestamps, and folder properties. BagMRU maintains most recently used folder list + with PIDL (Pointer to Item IDentifier List) data. Each bag contains window size, view mode, + column widths, and sorting preferences. examples: - "Bag 1: Desktop folder settings (Icon view, large icons)" @@ -55,6 +54,28 @@ details: url: "https://github.com/EricZimmerman/SBECmd" description: "Command-line ShellBags extraction and analysis" +limitations: + - "ShellBags do NOT prove files were accessed or modified within folders" + - "Folder navigation doesn't indicate duration of folder interaction" + - "View preferences don't show successful file operations were performed" + - "Network folder entries don't prove successful authentication or file access" + - "USB device entries don't indicate what files were accessed on removable media" + - "Deleted folder evidence doesn't show when folders were actually deleted" + - "Window positioning doesn't prove active folder usage or file manipulation" + +correlation: + required_for_definitive_file_access_proof: + - "File system timestamps showing actual file modifications in navigated folders" + - "Recent documents showing files accessed from folders in ShellBags" + - "OpenSaveMRU entries showing file operations in navigated locations" + - "Process execution logs showing applications accessing files in these folders" + + strengthens_evidence: + - "LastVisitedPidlMRU showing application-specific folder access" + - "USB device registry entries showing removable media connections" + - "Network share access logs correlating with network folder navigation" + - "Jump Lists showing application usage in navigated folders" + metadata: windows_versions: - "Windows XP" @@ -72,7 +93,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: @@ -127,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/thumbnail_cache.yml b/artifacts/file-operations/thumbnail_cache.yml similarity index 76% rename from artifacts/user-activity/thumbnail_cache.yml rename to artifacts/file-operations/thumbnail_cache.yml index c72c010..c770f2e 100644 --- a/artifacts/user-activity/thumbnail_cache.yml +++ b/artifacts/file-operations/thumbnail_cache.yml @@ -1,6 +1,6 @@ title: "Thumbnail Cache and Image Preview Configuration" -category: "user-activity" -description: "Thumbnail generation settings, image preview configuration, and cache management for file explorer" +category: "file-operations" +description: "Thumbnail generation settings, image preview configuration, and cache management" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" @@ -19,8 +19,7 @@ details: Critical for investigations involving inappropriate content, intellectual property theft, or data exfiltration. Even when original files are deleted, thumbnail images may persist in cache files, providing visual evidence of viewed content. Registry settings reveal if - thumbnails were disabled to hide activity or if specialized thumbnail configurations - indicate specific user behaviors or security-conscious modifications. + thumbnails were disabled to hide activity. structure: | Configuration settings include DisableThumbnailCache (thumbnail generation), DisableThumbsDBOnNetworkFolders @@ -52,6 +51,28 @@ details: - name: "Windows File Explorer Options" description: "Built-in thumbnail and preview configuration interface" +limitations: + - "Thumbnail settings do NOT prove images were actually viewed or accessed" + - "Disabled thumbnail cache doesn't prevent all image preview generation" + - "Quality settings don't indicate actual thumbnail creation or storage" + - "Preview pane settings don't show files were previewed or opened" + - "Network thumbnail settings don't prove network files were accessed" + - "Icon settings don't indicate thumbnail avoidance was intentional" + - "Cache settings don't show what thumbnails exist or were deleted" + +correlation: + required_for_definitive_viewing_proof: + - "Thumbnail cache files showing actual generated thumbnails" + - "File system access logs showing image file operations" + - "Process execution logs showing image viewing applications" + - "Recent documents showing image files accessed" + + strengthens_evidence: + - "ShellBags showing folder navigation to image locations" + - "Recent documents showing image files from folders with thumbnails" + - "Application usage logs showing image viewer programs" + - "File system timestamps correlating with thumbnail generation" + metadata: windows_versions: - "Windows Vista" @@ -67,14 +88,14 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - - criticality: "high" + criticality: "medium" investigation_types: - "insider-threat" - "data-exfiltration" - "timeline-analysis" - "behavioral-analysis" + - "anti-forensics" tags: - "thumbnails" @@ -115,5 +136,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/winrar.yml b/artifacts/file-operations/winrar.yml similarity index 53% rename from artifacts/user-activity/winrar.yml rename to artifacts/file-operations/winrar.yml index 735093f..fcd6282 100644 --- a/artifacts/user-activity/winrar.yml +++ b/artifacts/file-operations/winrar.yml @@ -1,5 +1,5 @@ title: "WinRAR Archive Tool Usage and File History" -category: "user-activity" +category: "file-operations" description: "WinRAR configuration, archive history, extraction locations, and compression activity" paths: @@ -10,24 +10,22 @@ paths: details: what: | - WinRAR archive utility stores configuration including recent archive files, - extraction paths, compression settings, and file association preferences. - Registry tracks archive creation/extraction activity, password usage patterns, - temporary file locations, and compression preferences for comprehensive - archive tool usage analysis and file handling behavior tracking. + WinRAR archive utility stores configuration including recent archive files, extraction paths, + compression settings, and file association preferences. Registry tracks archive creation/ + extraction activity, password usage patterns, temporary file locations, and compression + preferences for comprehensive archive tool usage analysis. forensic_value: | - Critical for investigating data packaging for exfiltration, evidence destruction - through compression, password-protected archive usage, and file transfer - preparation. Shows evidence of archive creation/extraction activity, reveals - potentially suspicious file packaging, and can indicate data theft preparation - or evidence concealment through compressed archives. + Critical for investigating data packaging for exfiltration, evidence destruction through + compression, password-protected archive usage, and file transfer preparation. Shows evidence + of archive creation/extraction activity, reveals potentially suspicious file packaging, and + can indicate data theft preparation or evidence concealment. structure: | - WinRAR configuration includes recent archive lists, default extraction paths, - compression levels, password settings, and file association data. Archive - history shows processed files, extraction locations, and access patterns - for comprehensive archive tool behavior analysis and data handling tracking. + WinRAR configuration includes recent archive lists, default extraction paths, compression + levels, password settings, and file association data. Archive history shows processed files, + extraction locations, and access patterns for comprehensive archive tool behavior analysis + and data handling tracking. examples: - "ArcHistory: C:\\Users\\user\\Documents\\sensitive_data.rar" @@ -47,6 +45,28 @@ details: - name: "Archive Forensics Tools" description: "Specialized tools for archive analysis and password recovery" +limitations: + - "WinRAR configuration does NOT prove archives were actually created or extracted" + - "Archive history doesn't indicate successful compression or extraction operations" + - "Password settings don't prove password-protected archives were created" + - "Extraction paths don't show files were successfully extracted or accessed" + - "Compression levels don't indicate actual archive creation occurred" + - "Temporary file settings don't prove temporary files were created or processed" + - "File associations don't show archive files were opened or processed" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing created or extracted archive files" + - "Process execution logs showing WinRAR application startup and activity" + - "Temporary files showing archive processing operations" + - "Event logs showing file operations correlating with archive activity" + + strengthens_evidence: + - "Recent documents showing archive files accessed through WinRAR" + - "Registry keys modified during archive operations" + - "File system timestamps showing archive creation/extraction times" + - "ShellBags showing folder navigation to archive locations" + metadata: windows_versions: - "Windows 95" @@ -61,13 +81,13 @@ metadata: - "Windows 11" introduced: "WinRAR" - criticality: "low" investigation_types: - "data-exfiltration" - "behavioral-analysis" - "incident-response" + - "anti-forensics" tags: - "winrar" @@ -99,5 +119,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/winzip.yml b/artifacts/file-operations/winzip.yml similarity index 52% rename from artifacts/user-activity/winzip.yml rename to artifacts/file-operations/winzip.yml index 8b6f8cb..a0588c7 100644 --- a/artifacts/user-activity/winzip.yml +++ b/artifacts/file-operations/winzip.yml @@ -1,5 +1,5 @@ title: "WinZip Commercial Archive Tool" -category: "user-activity" +category: "file-operations" description: "WinZip configuration, archive management, cloud integration, and commercial compression features" paths: @@ -10,24 +10,22 @@ paths: details: what: | - WinZip commercial archive utility stores configuration including compression - preferences, cloud service integration, security settings, and enterprise - features. Registry tracks archive operations, cloud backup preferences, - encryption settings, and collaboration features for comprehensive commercial - archive tool usage analysis and professional file management behavior tracking. + WinZip commercial archive utility stores configuration including compression preferences, + cloud service integration, security settings, and enterprise features. Registry tracks + archive operations, cloud backup preferences, encryption settings, and collaboration + features for comprehensive commercial archive tool usage analysis. forensic_value: | - Important for investigating professional data packaging, commercial archive - tool usage, cloud integration activities, and enterprise file management. - Shows evidence of commercial software usage, cloud storage integration, - professional archive handling, and can reveal business-level data organization, - cloud-based file sharing, and commercial tool preferences in corporate environments. + Important for investigating professional data packaging, commercial archive tool usage, + cloud integration activities, and enterprise file management. Shows evidence of commercial + software usage, cloud storage integration, professional archive handling, and can reveal + business-level data organization and cloud-based file sharing. structure: | - WinZip configuration includes licensing information, cloud service connections, - compression algorithms, security preferences, and collaboration settings. - Enterprise features track policy compliance, backup configurations, and - professional archive management capabilities for comprehensive commercial tool analysis. + WinZip configuration includes licensing information, cloud service connections, compression + algorithms, security preferences, and collaboration settings. Enterprise features track + policy compliance, backup configurations, and professional archive management capabilities + for comprehensive commercial tool analysis. examples: - "InstallPath: C:\\Program Files\\WinZip" @@ -45,6 +43,28 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "WinZip configuration does NOT prove archives were created or cloud services used" + - "Cloud service settings don't indicate files were uploaded or shared" + - "Encryption settings don't prove encrypted archives were created" + - "License information doesn't show software was actively used" + - "Backup schedules don't indicate backups were successfully created" + - "Enterprise features don't prove business-level archive operations occurred" + - "Collaboration settings don't show files were shared or accessed by others" + +correlation: + required_for_definitive_usage_proof: + - "File system artifacts showing WinZip-created archives or extracted files" + - "Process execution logs showing WinZip application startup and operations" + - "Cloud service logs showing file uploads or synchronization activity" + - "Network traffic logs showing cloud service communications" + + strengthens_evidence: + - "Recent documents showing archive files created with WinZip" + - "Registry keys modified during WinZip operations" + - "File system timestamps showing archive creation and extraction activity" + - "Browser history showing cloud service access correlating with WinZip usage" + metadata: windows_versions: - "Windows 95" @@ -59,7 +79,6 @@ metadata: - "Windows 11" introduced: "WinZip" - criticality: "medium" investigation_types: @@ -98,5 +117,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/bits_service.yml b/artifacts/network-infrastructure/bits_service.yml similarity index 64% rename from artifacts/network/bits_service.yml rename to artifacts/network-infrastructure/bits_service.yml index af71b0e..fe8f3f2 100644 --- a/artifacts/network/bits_service.yml +++ b/artifacts/network-infrastructure/bits_service.yml @@ -1,5 +1,5 @@ title: "BITS Background Transfer Service" -category: "network" +category: "network-infrastructure" description: "Background Intelligent Transfer Service configuration, job history, and file transfer management" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Background Intelligent Transfer Service (BITS) manages file transfers in the - background using spare network bandwidth, commonly used by Windows Update, - Microsoft applications, and third-party software. Registry contains service - configuration, transfer job metadata, bandwidth throttling settings, and - job state information for both system and user-initiated transfers. + Background Intelligent Transfer Service (BITS) manages file transfers in the background + using spare network bandwidth. Registry contains service configuration, transfer job metadata, + bandwidth throttling settings, and job state information for system and user-initiated transfers. forensic_value: | - BITS is increasingly used by malware for stealthy file downloads, data exfiltration, - and command and control communication. Shows evidence of background file transfers, - download sources, upload destinations, and potential covert communication channels. - Can reveal malicious file distribution, data theft operations, or unauthorized - software installation through background transfer mechanisms. + BITS is increasingly used by malware for stealthy file downloads, data exfiltration, and + command and control communication. Shows evidence of background file transfers, download sources, + upload destinations, and can reveal malicious file distribution, data theft operations, or unauthorized software installation. structure: | - Service configuration includes startup type, dependencies, parameters, and - bandwidth management settings. StateIndex contains job identifiers and transfer - metadata. Jobs subkey tracks active and completed transfers with source URLs, - destination paths, transfer states, and authentication information. + Service configuration includes startup type, dependencies, and bandwidth management settings. + StateIndex contains job identifiers and transfer metadata. Jobs subkey tracks active and + completed transfers with source URLs, destination paths, and authentication information. examples: - "BITS\\Start: 3 (Manual startup)" @@ -53,6 +48,27 @@ details: - name: "BITSInspector" description: "Specialized tools for BITS forensic analysis and job enumeration" +limitations: + - "BITS job configuration does NOT prove file transfers completed successfully" + - "Job entries may be created by Windows Update or legitimate applications" + - "Source URLs in configuration don't prove files were actually downloaded" + - "Bandwidth settings don't indicate what data was transferred" + - "Service startup configuration doesn't show actual service activity" + - "Job state information may be cleared after transfer completion" + - "Authentication settings don't prove successful server connections" + +correlation: + required_for_definitive_execution_proof: + - "BITS service logs showing actual transfer activity and completion status" + - "Network traffic logs confirming connections to source/destination servers" + - "File system artifacts showing downloaded files at specified destinations" + - "Process execution logs showing BITS service and related process activity" + + strengthens_evidence: + - "Windows Update logs showing legitimate vs. suspicious BITS usage" + - "Event logs showing BITS service starts and job completions" + - "File creation timestamps correlating with BITS transfer windows" + metadata: windows_versions: - "Windows XP" @@ -70,7 +86,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: @@ -124,5 +139,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/bluetooth_devices.yml b/artifacts/network-infrastructure/bluetooth_devices.yml similarity index 61% rename from artifacts/network/bluetooth_devices.yml rename to artifacts/network-infrastructure/bluetooth_devices.yml index 9fc1461..a58233b 100644 --- a/artifacts/network/bluetooth_devices.yml +++ b/artifacts/network-infrastructure/bluetooth_devices.yml @@ -1,5 +1,5 @@ title: "Bluetooth Device History and Configuration" -category: "network" +category: "network-infrastructure" description: "Bluetooth device pairing history, connection logs, device capabilities, and wireless communication tracking" paths: @@ -10,22 +10,19 @@ paths: details: what: | - Windows Bluetooth subsystem maintains comprehensive device pairing history, connection logs, - device capabilities, authentication keys, and service discovery records. Tracks all Bluetooth - devices that have been paired, attempted connections, device profiles supported, and wireless - communication patterns for complete Bluetooth forensic analysis and device correlation. + Windows Bluetooth subsystem maintains device pairing history, connection logs, device capabilities, + authentication keys, and service discovery records. Tracks all Bluetooth devices that have been + paired, attempted connections, and supported device profiles. forensic_value: | - Critical for investigating wireless data exfiltration, unauthorized device connections, covert - communication channels, and device tracking. Shows evidence of Bluetooth keyboards, mice, phones, - headsets, and potential data transfer devices. Essential for insider threat investigations, - unauthorized device usage, and establishing device presence during incident timeframes. + Critical for investigating wireless data exfiltration, unauthorized device connections, and covert + communication channels. Shows evidence of Bluetooth keyboards, mice, phones, headsets, and potential + data transfer devices. Essential for insider threat investigations and establishing device presence during incidents. structure: | - Device entries organized by Bluetooth MAC addresses containing device names, pairing timestamps, - authentication keys, supported services, device types, and connection history. Each device - maintains profile information, capability flags, and last seen timestamps for comprehensive - tracking and forensic correlation with other system artifacts. + Device entries organized by Bluetooth MAC addresses containing device names, pairing timestamps, + authentication keys, supported services, device types, and connection history. Each device maintains + profile information, capability flags, and last seen timestamps. examples: - "Device: 00:11:22:33:44:55 (Samsung Galaxy S21 - Mobile phone)" @@ -51,6 +48,27 @@ details: - name: "Bluetooth Device Analyzer" description: "Specialized forensic tools for Bluetooth device analysis" +limitations: + - "Bluetooth pairing history does NOT prove active data transfer occurred" + - "Device presence in registry doesn't indicate device was connected during specific timeframes" + - "LastConnected timestamps may not reflect actual communication sessions" + - "Pairing information persists even after device is no longer used" + - "Authentication keys don't prove successful data transmission" + - "Service capabilities don't show what services were actually utilized" + - "Trusted device status doesn't indicate automatic connection occurred" + +correlation: + required_for_definitive_execution_proof: + - "Bluetooth service logs showing actual connection establishment and data transfer" + - "Network traffic logs showing Bluetooth protocol communication" + - "File system artifacts showing files transferred via Bluetooth" + - "Application logs showing Bluetooth-enabled applications activity" + + strengthens_evidence: + - "USB device logs showing Bluetooth adapter activity" + - "Event logs showing device connection and disconnection events" + - "File creation timestamps correlating with Bluetooth connection times" + metadata: windows_versions: - "Windows XP" @@ -62,13 +80,13 @@ metadata: - "Windows 11" introduced: "Windows XP SP2" - - criticality: "high" + criticality: "medium" investigation_types: - "data-exfiltration" - "insider-threat" - "timeline-analysis" + - "behavioral-analysis" tags: - "bluetooth" @@ -105,5 +123,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/dns_cache.yml b/artifacts/network-infrastructure/dns_cache.yml similarity index 65% rename from artifacts/network/dns_cache.yml rename to artifacts/network-infrastructure/dns_cache.yml index 935fb0d..25f5d08 100644 --- a/artifacts/network/dns_cache.yml +++ b/artifacts/network-infrastructure/dns_cache.yml @@ -1,5 +1,5 @@ title: "DNS Client Configuration and Cache Settings" -category: "network" +category: "network-infrastructure" description: "DNS client settings, cache configuration, name resolution preferences, and DNS security policies" paths: @@ -10,24 +10,19 @@ paths: details: what: | - DNS client configuration encompasses comprehensive name resolution settings including cache - behavior, DNS server preferences, DNS-over-HTTPS (DoH) configuration, cache size limits, - negative caching policies, and DNS security settings. Controls system-wide name resolution - behavior, cache management policies, and modern DNS security features including encrypted - DNS protocols and DNS filtering for enhanced privacy and security. + DNS client configuration encompasses name resolution settings including cache behavior, + DNS server preferences, DNS-over-HTTPS (DoH) configuration, cache size limits, negative + caching policies, and DNS security settings controlling system-wide name resolution. forensic_value: | - Critical for investigating DNS hijacking attacks, malicious DNS server usage, DNS tunneling - attempts, and command and control communication through DNS protocols. DNS configuration - changes may indicate network-based attacks, DNS cache poisoning attempts, or DNS exfiltration - techniques. Essential for analyzing advanced persistent threats that manipulate DNS infrastructure - for stealth communication and detecting DNS-based data exfiltration methods. + Critical for investigating DNS hijacking attacks, malicious DNS server usage, DNS tunneling + attempts, and command and control communication through DNS protocols. DNS configuration + changes may indicate network-based attacks, DNS cache poisoning attempts, or DNS exfiltration techniques. structure: | - DNS configuration includes MaxCacheTtl (maximum cache time), NegativeCacheTime (failed lookup - caching), CacheHashTableSize (cache table dimensions), EnableAutoDoh (automatic DNS-over-HTTPS), - DohPolicy (DoH enforcement level), and PrimaryDnsServer (preferred DNS server). Policy settings - control enterprise DNS behavior, security restrictions, and DNS filtering implementations. + DNS configuration includes MaxCacheTtl (maximum cache time), NegativeCacheTime (failed lookup caching), + CacheHashTableSize (cache table dimensions), EnableAutoDoh (automatic DNS-over-HTTPS), DohPolicy + (DoH enforcement level), and PrimaryDnsServer (preferred DNS server). examples: - "MaxCacheTtl: 604800 (7 days maximum cache retention)" @@ -52,6 +47,27 @@ details: - name: "DNS Security Analysis Tools" description: "Specialized utilities for DNS security assessment and threat detection" +limitations: + - "DNS configuration settings do NOT prove malicious domains were accessed" + - "Cache settings don't indicate what DNS queries were actually made" + - "DoH configuration doesn't show encrypted DNS queries that occurred" + - "DNS server changes may be legitimate network administration" + - "Policy settings don't prove DNS filtering was actively enforced" + - "Malicious DNS servers may be configured but never used" + - "Cache size settings don't reveal historical DNS query patterns" + +correlation: + required_for_definitive_execution_proof: + - "DNS query logs showing actual name resolution requests and responses" + - "Network traffic captures showing DNS protocol communication" + - "Event logs showing DNS service activity and configuration changes" + - "Browser history or application logs showing domain access attempts" + + strengthens_evidence: + - "Firewall logs showing DNS traffic to unauthorized servers" + - "Process execution logs showing applications that initiated DNS queries" + - "Timeline analysis correlating DNS changes with suspicious network activity" + metadata: windows_versions: - "Windows 2000" @@ -71,13 +87,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 2000" - criticality: "high" investigation_types: - - "persistence-analysis" - - "incident-response" - "data-exfiltration" + - "incident-response" + - "lateral-movement" + - "anti-forensics" tags: - "network" @@ -117,5 +133,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/shared_folders.yml b/artifacts/network-infrastructure/file_shares_smb.yml similarity index 63% rename from artifacts/network/shared_folders.yml rename to artifacts/network-infrastructure/file_shares_smb.yml index 17e4b31..c489bb8 100644 --- a/artifacts/network/shared_folders.yml +++ b/artifacts/network-infrastructure/file_shares_smb.yml @@ -1,6 +1,6 @@ title: "Windows File Shares and SMB Configuration" -category: "network" -description: "Shared folders, SMB settings, network file sharing configuration, and access control policies" +category: "network-infrastructure" +description: "Shared folders, SMB settings, and network file sharing configuration" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\Shares" @@ -10,24 +10,20 @@ paths: details: what: | - Windows Server Message Block (SMB/CIFS) file sharing configuration encompasses shared folder - definitions, access permissions, security descriptors, server parameters, workstation settings, - and network file sharing policies. Manages both administrative shares (C$, ADMIN$) and - user-defined shares with comprehensive access control, authentication requirements, and - network security settings for enterprise file sharing infrastructure. + Windows Server Message Block (SMB/CIFS) file sharing configuration including shared folder + definitions, access permissions, security descriptors, and server parameters. Manages both + administrative shares (C$, ADMIN$) and user-defined shares with access control settings. forensic_value: | - Critical for investigating lateral movement techniques, data exfiltration through network shares, - and unauthorized file access in enterprise environments. Shows evidence of shared folders used - for data staging, reveals SMB configuration vulnerabilities exploited by attackers, and indicates - network shares accessible for unauthorized data access. Essential for analyzing advanced - persistent threats that leverage legitimate file sharing for stealth operations. + Critical for investigating lateral movement techniques and data exfiltration through network + shares. Shows evidence of shared folders used for data staging and reveals SMB configuration + vulnerabilities. Essential for analyzing advanced persistent threats that leverage legitimate + file sharing for stealth operations. structure: | Shares registry subkey contains individual share configurations with UNC paths, security - descriptors, access permissions, and share properties. Server parameters control SMB behavior, - authentication requirements, security signing, and session management. Workstation parameters - manage client-side SMB configuration and security settings for network resource access. + descriptors, and access permissions. Server parameters control SMB behavior, authentication + requirements, and security signing. Binary security descriptors define access control. examples: - "Shares\\\\ADMIN$: C:\\\\ (Hidden administrative share - full system access)" @@ -53,6 +49,28 @@ details: - name: "SMB Security Scanner" description: "Third-party tools for SMB security assessment and vulnerability analysis" +limitations: + - "Share configuration does NOT prove files were actually accessed or transferred" + - "Shared folder existence doesn't indicate successful network connections" + - "Administrative shares are enabled by default and don't prove malicious usage" + - "SMB settings don't reveal what data was shared or accessed" + - "Security descriptors don't indicate actual permission usage" + - "Share creation doesn't prove network clients connected" + - "Configuration may exist without any network file sharing activity" + +correlation: + required_for_definitive_usage_proof: + - "SMB server access logs showing successful client connections and file operations" + - "Network traffic analysis showing SMB protocol communications" + - "Windows Event Logs showing file share access (Event ID 5140, 5145)" + - "File system audit logs showing shared file modifications" + + strengthens_evidence: + - "Process execution logs showing SMB server service activity" + - "Network authentication logs showing SMB logon attempts" + - "File timestamps correlating with suspected share access times" + - "Registry keys modified by shared file applications" + metadata: windows_versions: - "Windows NT" @@ -73,7 +91,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -106,7 +123,7 @@ metadata: retention: default_location: "Registry hive files (SYSTEM)" persistence: "Share configuration persists until manually removed or server reconfiguration" - volatility: "Network share settings affect ongoing file access and lateral movement capabilities" + volatility: "Network share settings affect ongoing file access capabilities" related_artifacts: - "mapped_drives" @@ -121,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/netbios_settings.yml b/artifacts/network-infrastructure/netbios_settings.yml similarity index 62% rename from artifacts/network/netbios_settings.yml rename to artifacts/network-infrastructure/netbios_settings.yml index 3d919b1..8730ab9 100644 --- a/artifacts/network/netbios_settings.yml +++ b/artifacts/network-infrastructure/netbios_settings.yml @@ -1,5 +1,5 @@ title: "NetBIOS and Network Naming Configuration" -category: "network" +category: "network-infrastructure" description: "NetBIOS over TCP/IP settings, name resolution configuration, and legacy network browsing capabilities" paths: @@ -10,24 +10,19 @@ paths: details: what: | - NetBIOS over TCP/IP configuration controls legacy network naming services, Windows Internet - Name Service (WINS) integration, network browsing capabilities, and backward compatibility - for older Windows networking protocols. Manages NetBIOS name resolution, scope identification, - node types, LMHOSTS file usage, and legacy network neighborhood functionality essential - for mixed-environment network operations. + NetBIOS over TCP/IP configuration controls legacy network naming services, Windows Internet Name Service (WINS) + integration, network browsing capabilities, and backward compatibility for older Windows networking protocols. + Manages NetBIOS name resolution, scope identification, and legacy network neighborhood functionality. forensic_value: | - Critical for investigating lateral movement techniques that exploit NetBIOS vulnerabilities, - analyzing legacy network reconnaissance activities, and detecting attacks that leverage - NetBIOS name resolution for network discovery. Shows WINS server configurations that may - indicate network infrastructure compromise, reveals network browsing capabilities that - facilitate information gathering, and provides evidence of legacy protocol abuse in attacks. + Critical for investigating lateral movement techniques that exploit NetBIOS vulnerabilities, analyzing legacy + network reconnaissance activities, and detecting attacks that leverage NetBIOS name resolution for network discovery. + Shows WINS server configurations and reveals network browsing capabilities that facilitate information gathering. structure: | - NetBT parameters include EnableLMHosts (LMHOSTS file usage), NodeType (NetBIOS resolution method), - NameServer (WINS server addresses), ScopeId (NetBIOS scope identifier), and EnableNetbiosSmb - (NetBIOS over SMB). LanmanServer controls network browsing, server announcements, and - network neighborhood visibility with various REG_DWORD and REG_SZ configuration values. + NetBT parameters include EnableLMHosts (LMHOSTS file usage), NodeType (NetBIOS resolution method), NameServer + (WINS server addresses), ScopeId (NetBIOS scope identifier), and EnableNetbiosSmb (NetBIOS over SMB). + LanmanServer controls network browsing and server announcements. examples: - "EnableLMHosts: 1 (LMHOSTS file resolution enabled)" @@ -52,6 +47,27 @@ details: - name: "NetBIOS Name Scanner" description: "Third-party tools for NetBIOS network discovery and analysis" +limitations: + - "NetBIOS configuration does NOT prove NetBIOS protocols were actively used" + - "WINS server settings don't indicate successful name resolution queries occurred" + - "Browser announcement settings don't show actual network browsing activity" + - "LMHOSTS enablement doesn't prove static name mappings were used" + - "Node type configuration doesn't indicate NetBIOS communication success" + - "Scope settings may be configured without NetBIOS scope utilization" + - "Server list maintenance doesn't prove network neighborhood access" + +correlation: + required_for_definitive_execution_proof: + - "Network traffic captures showing NetBIOS protocol communication" + - "NetBIOS service logs showing name resolution requests and responses" + - "WINS server logs showing NetBIOS name registration and query activity" + - "Event logs showing NetBIOS service starts and network browsing events" + + strengthens_evidence: + - "SMB/CIFS logs showing NetBIOS session establishment" + - "Network discovery logs showing NetBIOS-based reconnaissance" + - "File sharing access logs using NetBIOS name resolution" + metadata: windows_versions: - "Windows NT" @@ -79,6 +95,7 @@ metadata: - "lateral-movement" - "behavioral-analysis" - "incident-response" + - "initial-access" tags: - "netbios" @@ -115,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/network_interfaces.yml b/artifacts/network-infrastructure/network_interfaces.yml similarity index 65% rename from artifacts/network/network_interfaces.yml rename to artifacts/network-infrastructure/network_interfaces.yml index 766796a..e0498be 100644 --- a/artifacts/network/network_interfaces.yml +++ b/artifacts/network-infrastructure/network_interfaces.yml @@ -1,5 +1,5 @@ title: "Network Interface Configuration" -category: "network" +category: "network-infrastructure" description: "Network adapter configuration including IP addresses, DHCP settings, DNS servers, and routing information" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows stores comprehensive network interface configuration data including IP addresses, - subnet masks, default gateways, DNS servers, DHCP settings, and adapter-specific parameters. - Each network interface has its own GUID-identified subkey containing current and historical - network configuration. Includes both static and dynamic (DHCP) configuration data with - timestamps and lease information. + Windows stores network interface configuration data including IP addresses, subnet masks, default gateways, + DNS servers, DHCP settings, and adapter-specific parameters. Each network interface has its own GUID-identified + subkey containing current and historical network configuration. forensic_value: | - Reveals network configuration history, static IP assignments, DNS server changes, - and can show evidence of network pivoting, tunneling, or lateral movement preparation. - Critical for understanding network connectivity, identifying rogue configurations, - and correlating network-based attacks with system configuration. Can indicate - VPN usage, proxy configurations, and network infrastructure reconnaissance. + Reveals network configuration history, static IP assignments, DNS server changes, and can show evidence of + network pivoting, tunneling, or lateral movement preparation. Critical for understanding network connectivity, + identifying rogue configurations, and correlating network-based attacks with system configuration. structure: | - Interface GUIDs as subkeys containing REG_SZ and REG_MULTI_SZ values for network parameters. - Key values include IPAddress, SubnetMask, DefaultGateway, NameServer, DHCPIPAddress, - DHCPServer, Domain, EnableDHCP, and lease information. Binary data includes interface - metrics, adapter settings, and network binding configurations. + Interface GUIDs as subkeys containing REG_SZ and REG_MULTI_SZ values for network parameters. Key values include + IPAddress, SubnetMask, DefaultGateway, NameServer, DHCPIPAddress, DHCPServer, Domain, EnableDHCP, and lease information. + Binary data includes interface metrics and adapter settings. examples: - "DHCPIPAddress: 192.168.1.100" @@ -58,6 +53,27 @@ details: url: "https://www.nirsoft.net/utils/network_interface_view.html" description: "NirSoft tool for detailed network interface information" +limitations: + - "Network interface configuration does NOT prove network communication occurred" + - "IP address assignments don't indicate what network traffic was generated" + - "DNS server settings don't show what domain name queries were made" + - "DHCP lease information doesn't prove active network usage during lease period" + - "Static IP configuration may be set without network connectivity" + - "Gateway settings don't indicate routing table was used for communication" + - "Interface metrics don't show network performance or actual usage" + +correlation: + required_for_definitive_execution_proof: + - "Network traffic logs showing actual communication using configured IP addresses" + - "DHCP server logs showing lease assignments and renewal activity" + - "DNS query logs showing name resolution using configured DNS servers" + - "Routing table logs showing gateway utilization for network communication" + + strengthens_evidence: + - "Network connection logs showing active interface utilization" + - "Application logs showing network-dependent services using interfaces" + - "Timeline analysis correlating interface changes with network activity" + metadata: windows_versions: - "Windows NT 4.0" @@ -133,5 +149,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/mapped_drives.yml b/artifacts/network-infrastructure/network_mapped_drives.yml similarity index 63% rename from artifacts/network/mapped_drives.yml rename to artifacts/network-infrastructure/network_mapped_drives.yml index d1e4282..b649575 100644 --- a/artifacts/network/mapped_drives.yml +++ b/artifacts/network-infrastructure/network_mapped_drives.yml @@ -1,5 +1,5 @@ title: "Network Mapped Drives and Shares" -category: "network" +category: "network-infrastructure" description: "Mapped network drives, UNC paths, shared resource connections, and persistent drive mappings" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows stores comprehensive information about mapped network drives, shared folder connections, - UNC path access history, and persistent drive mappings. Maintains both active drive mappings - and historical connection data including server names, share paths, authentication credentials, - and connection persistence settings. Manages network resource access, automatic reconnection - preferences, and Most Recently Used (MRU) lists for network location convenience. + Windows stores information about mapped network drives, shared folder connections, UNC path access history, + and persistent drive mappings. Maintains both active drive mappings and historical connection data including + server names, share paths, authentication credentials, and connection persistence settings. forensic_value: | - Critical for investigating lateral movement, data exfiltration routes, unauthorized network - access, and corporate espionage through network shares. Shows evidence of file server access, - shared resource usage patterns, and potential data staging locations on network drives. - Essential for analyzing advanced persistent threats that leverage legitimate network infrastructure - for stealth operations and detecting insider threats accessing sensitive network resources. + Critical for investigating lateral movement, data exfiltration routes, unauthorized network access, and + corporate espionage through network shares. Shows evidence of file server access, shared resource usage patterns, + and potential data staging locations on network drives. structure: | - Network registry key contains drive letters as subkeys with RemotePath (UNC path), ProviderName - (network provider), UserName (authentication context), and ConnectionType (persistent/temporary). - Map Network Drive MRU stores recently accessed UNC paths in chronological order with connection - frequency and access patterns for user convenience and investigation correlation. + Network registry key contains drive letters as subkeys with RemotePath (UNC path), ProviderName (network provider), + UserName (authentication context), and ConnectionType (persistent/temporary). Map Network Drive MRU stores + recently accessed UNC paths in chronological order. examples: - "Z:\\\\RemotePath: \\\\\\\\fileserver.domain.com\\\\shared (Corporate file server)" @@ -53,6 +48,27 @@ details: - name: "Network Resource Monitor" description: "Tools for monitoring network share access and authentication patterns" +limitations: + - "Mapped drive configuration does NOT prove files were accessed or transferred" + - "Network drive mappings don't indicate successful authentication to remote servers" + - "MRU entries don't show what files were accessed on network shares" + - "Persistent connections don't prove drives were actively used after mapping" + - "UNC path history doesn't indicate successful connection establishment" + - "Administrative share mappings may be legitimate system administration" + - "Drive letter assignments don't show frequency or duration of usage" + +correlation: + required_for_definitive_execution_proof: + - "SMB/CIFS protocol logs showing actual file server connections and authentication" + - "File system access logs showing files opened or transferred on network drives" + - "Event logs showing successful network drive connections and logon sessions" + - "Network traffic captures showing file sharing protocol communication" + + strengthens_evidence: + - "Recent documents showing files accessed from mapped network locations" + - "Process execution logs showing applications accessing network drives" + - "File modification timestamps on network shares correlating with user activity" + metadata: windows_versions: - "Windows NT" @@ -73,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -121,5 +136,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/proxy_settings.yml b/artifacts/network-infrastructure/proxy_settings.yml similarity index 61% rename from artifacts/network/proxy_settings.yml rename to artifacts/network-infrastructure/proxy_settings.yml index 64b99d6..18e7f44 100644 --- a/artifacts/network/proxy_settings.yml +++ b/artifacts/network-infrastructure/proxy_settings.yml @@ -1,6 +1,6 @@ title: "Internet Proxy and Connection Settings" -category: "network" -description: "Proxy server configuration, PAC files, automatic proxy detection, and internet connection routing" +category: "network-infrastructure" +description: "Proxy server configuration and internet connection routing settings" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" @@ -10,24 +10,19 @@ paths: details: what: | - Internet proxy configuration including proxy server addresses, port numbers, - Proxy Auto-Configuration (PAC) file locations, bypass lists, automatic proxy - detection settings, and WinINet connection configurations. Controls how web - browsers and system internet connections route through proxy servers, handle - authentication, and manage traffic filtering and monitoring. + Windows proxy configuration including server addresses, ports, Proxy Auto-Configuration + (PAC) files, bypass lists, and automatic detection settings. Controls how browsers and + system internet connections route through proxy servers for filtering and monitoring. forensic_value: | - Shows proxy configurations that could indicate data exfiltration routes, - malicious proxy servers used for traffic interception, command and control - communication, or network evasion techniques. Critical for understanding - network communication paths, identifying proxy-based attacks, and detecting - unauthorized network routing that could facilitate data theft. + Reveals proxy configurations that may indicate data exfiltration routes, malicious proxy + servers for traffic interception, or network evasion techniques. Critical for understanding + network communication paths and identifying unauthorized routing that could facilitate data theft. structure: | - Settings include ProxyEnable (proxy enabled/disabled), ProxyServer (address:port), - ProxyOverride (bypass list), AutoConfigURL (PAC file location), AutoDetect - (automatic proxy detection), and binary connection data in DefaultConnectionSettings - containing detailed proxy configurations and authentication information. + Settings include ProxyEnable (DWORD), ProxyServer (REG_SZ address:port), ProxyOverride + (bypass list), AutoConfigURL (PAC file location), and binary DefaultConnectionSettings + containing detailed proxy configurations and authentication data. examples: - "ProxyEnable: 1 (proxy enabled)" @@ -55,6 +50,28 @@ details: url: "https://www.nirsoft.net/utils/proxy_log_view.html" description: "NirSoft tool for proxy server log analysis and monitoring" +limitations: + - "Proxy configuration does NOT prove network traffic actually used the proxy" + - "Settings can be bypassed by applications using direct connections" + - "Configuration may be overridden by group policy or malware" + - "PAC file URLs don't indicate the PAC file was successfully retrieved" + - "Proxy bypass list shows intent but not actual traffic routing" + - "Settings don't reveal what data passed through proxy servers" + - "Automatic detection settings may fail without indication in registry" + +correlation: + required_for_definitive_usage_proof: + - "Network traffic logs showing actual connections through proxy servers" + - "Proxy server access logs with matching client IP addresses and timestamps" + - "DNS resolution logs showing proxy server name resolution" + - "Application logs confirming proxy usage and authentication" + + strengthens_evidence: + - "Browser history showing PAC file downloads or proxy authentication pages" + - "Event logs showing proxy connectivity errors or authentication failures" + - "Network interface statistics showing traffic patterns consistent with proxy usage" + - "Firewall logs showing blocked direct connections forcing proxy usage" + metadata: windows_versions: - "Windows 95" @@ -76,8 +93,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows 95 (Internet Explorer 3.0)" - + introduced: "Windows 95 (Internet Explorer 3.0)" criticality: "medium" investigation_types: @@ -86,6 +102,7 @@ metadata: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "anti-forensics" tags: - "network" @@ -131,5 +148,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/teredo_ipv6.yml b/artifacts/network-infrastructure/teredo_ipv6.yml similarity index 67% rename from artifacts/network/teredo_ipv6.yml rename to artifacts/network-infrastructure/teredo_ipv6.yml index 753f97c..7603a61 100644 --- a/artifacts/network/teredo_ipv6.yml +++ b/artifacts/network-infrastructure/teredo_ipv6.yml @@ -1,6 +1,6 @@ title: "Teredo and IPv6 Transition Configuration" -category: "network" -description: "IPv6 transition technologies, Teredo tunneling, dual-stack configuration, and covert communication channels" +category: "network-infrastructure" +description: "IPv6 transition technologies, Teredo tunneling, and covert communication channels" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters" @@ -10,24 +10,20 @@ paths: details: what: | - IPv6 transition technology configuration manages Teredo tunneling, 6to4 automatic tunneling, - ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), and IP-HTTPS settings that enable - IPv6 connectivity over IPv4 networks. Controls tunnel server addresses, interface parameters, - transition mechanism enablement, and dual-stack network configuration for seamless IPv4/IPv6 - interoperability in mixed network environments. + IPv6 transition technology configuration managing Teredo tunneling, 6to4 automatic tunneling, + ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), and IP-HTTPS settings. Enables + IPv6 connectivity over IPv4 networks through tunnel server addresses and interface parameters. forensic_value: | Critical for detecting covert communication channels that exploit IPv6 transition technologies to bypass firewall restrictions and network monitoring. Teredo and other tunneling protocols can be abused for command and control communication, data exfiltration, and firewall evasion. - Configuration changes may indicate sophisticated attack techniques using IPv6 tunnels for - stealth communication or attempts to establish persistent backdoor channels. + Configuration changes may indicate sophisticated attack techniques using IPv6 tunnels. structure: | Teredo configuration includes Type (client/server mode), ServerName (tunnel server address), ClientPort (client communication port), and EnabledState (service status). IPv6 parameters - control DisabledComponents (IPv6 feature disabling), transition technology enablement, and - interface configurations. IP-HTTPS and ISATAP contain tunnel-specific settings and server configurations. + control DisabledComponents (IPv6 feature disabling) and transition technology settings. examples: - "Teredo\\Type: 4 (Teredo client mode)" @@ -52,6 +48,28 @@ details: - name: "IPv6 Tunnel Analysis Tools" description: "Specialized network analysis tools for IPv6 transition technologies" +limitations: + - "Configuration settings do NOT prove IPv6 tunneling was actually used" + - "Enabled transition technologies don't indicate actual tunnel establishment" + - "Server settings don't prove successful connections to tunnel servers" + - "IPv6 enablement doesn't show what traffic used IPv6 tunnels" + - "Teredo configuration may exist without any tunnel communication" + - "Disabled components don't prevent all IPv6 transition technology usage" + - "Tunnel server addresses can be legitimate while still enabling covert channels" + +correlation: + required_for_definitive_usage_proof: + - "Network traffic analysis showing actual IPv6 tunnel communications" + - "Teredo server connection logs confirming tunnel establishment" + - "IPv6 routing table entries showing active tunnel interfaces" + - "Application logs showing IPv6 connectivity through tunnels" + + strengthens_evidence: + - "Process execution logs showing IPv6 transition service activity" + - "Network interface statistics showing IPv6 tunnel traffic" + - "DNS resolution logs showing IPv6 address queries" + - "Firewall logs showing IPv6 tunnel traffic patterns" + metadata: windows_versions: - "Windows Vista" @@ -67,12 +85,12 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: - "lateral-movement" - "data-exfiltration" + - "anti-forensics" - "behavioral-analysis" - "incident-response" @@ -111,5 +129,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/upnp_settings.yml b/artifacts/network-infrastructure/upnp_settings.yml similarity index 68% rename from artifacts/network/upnp_settings.yml rename to artifacts/network-infrastructure/upnp_settings.yml index 2c63775..7391106 100644 --- a/artifacts/network/upnp_settings.yml +++ b/artifacts/network-infrastructure/upnp_settings.yml @@ -1,6 +1,6 @@ title: "UPnP and Network Discovery Settings" -category: "network" -description: "Universal Plug and Play configuration, network discovery settings, and device enumeration security" +category: "network-infrastructure" +description: "Universal Plug and Play configuration, network discovery settings, and device enumeration" paths: - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" @@ -10,25 +10,20 @@ paths: details: what: | - Universal Plug and Play (UPnP) and network discovery configuration controls automatic device - discovery, network browsing capabilities, network location awareness, and seamless device - connectivity. Manages device enumeration services, network neighborhood visibility, automatic - port mapping, and network topology discovery for simplified network device interaction and - resource sharing in home and enterprise environments. + Universal Plug and Play (UPnP) and network discovery configuration controlling automatic device + discovery, network browsing capabilities, and network location awareness. Manages device + enumeration services, network neighborhood visibility, and automatic port mapping. forensic_value: | - Critical for investigating network-based attacks that exploit UPnP vulnerabilities for unauthorized - access, port manipulation, and lateral movement. UPnP can be abused for network reconnaissance, + Critical for investigating network-based attacks that exploit UPnP vulnerabilities for + unauthorized access and lateral movement. UPnP can be abused for network reconnaissance, automatic firewall rule creation, and device compromise. Configuration changes may indicate - attackers enabling network discovery for infrastructure mapping or disabling security features - that restrict network access and device enumeration capabilities. + attackers enabling network discovery for infrastructure mapping. structure: | UPnP service configuration includes device discovery settings, network location awareness parameters, and browsing capabilities. Network discovery controls visibility of network devices and shared resources with settings for public, private, and domain networks. - FolderDescriptions contains network location definitions and access policies for - different network profile types. examples: - "UPnPHost\\Start: 3 (Manual startup - typical configuration)" @@ -53,6 +48,28 @@ details: - name: "UPnP Security Scanner" description: "Third-party tools for assessing UPnP security vulnerabilities" +limitations: + - "UPnP configuration does NOT prove devices were discovered or exploited" + - "Network discovery settings don't indicate actual device enumeration occurred" + - "Service enablement doesn't show UPnP protocols were used" + - "Device association settings don't prove automatic pairing happened" + - "Network location awareness doesn't indicate location detection accuracy" + - "Settings can be overridden by group policy or application requests" + - "UPnP enablement doesn't show which applications used UPnP services" + +correlation: + required_for_definitive_usage_proof: + - "Network traffic analysis showing UPnP protocol communications (SSDP, SOAP)" + - "UPnP device discovery logs showing actual device enumeration" + - "Windows Event Logs showing UPnP service activity and device associations" + - "Application logs showing UPnP-enabled software activity" + + strengthens_evidence: + - "Network interface statistics showing multicast UPnP traffic" + - "Process execution logs showing UPnP service and host activity" + - "Firewall logs showing UPnP port mapping requests" + - "Registry keys modified by UPnP device discovery" + metadata: windows_versions: - "Windows XP" @@ -64,7 +81,6 @@ metadata: - "Windows 11" introduced: "Windows XP" - criticality: "medium" investigation_types: @@ -108,5 +124,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/security/vpn_client.yml b/artifacts/network-infrastructure/vpn_client.yml similarity index 54% rename from artifacts/security/vpn_client.yml rename to artifacts/network-infrastructure/vpn_client.yml index 3e6ead3..18b150a 100644 --- a/artifacts/security/vpn_client.yml +++ b/artifacts/network-infrastructure/vpn_client.yml @@ -1,5 +1,5 @@ title: "VPN Client Application Configurations" -category: "security" +category: "network-infrastructure" description: "Commercial VPN client settings, server configurations, and privacy service integrations" paths: @@ -11,24 +11,19 @@ paths: details: what: | - Commercial VPN clients store configuration including server lists, connection - preferences, authentication credentials, and privacy settings. Registry tracks - installation data, subscription information, auto-connect preferences, and - kill switch configurations for comprehensive VPN usage analysis and privacy - service behavior tracking in security-conscious networking environments. + Commercial VPN clients store configuration including server lists, connection preferences, + authentication credentials, and privacy settings. Registry tracks installation data, subscription w + information, auto-connect preferences, and kill switch configurations for VPN usage analysis. forensic_value: | - Important for investigating privacy-seeking behavior, geographic location - obfuscation, potential evasion techniques, and privacy service usage. Shows - evidence of VPN connectivity, server preferences, privacy tool adoption, - and can indicate attempts to hide network traffic, evade geographic restrictions, - or maintain anonymity in network communications and online activities. + Important for investigating privacy-seeking behavior, geographic location obfuscation, and + potential evasion techniques. Shows evidence of VPN connectivity, server preferences, and + can indicate attempts to hide network traffic or maintain anonymity in communications. structure: | - VPN client configuration includes server endpoints, authentication methods, - connection protocols, kill switch settings, and privacy preferences. Subscription - data tracks account information, service features, and usage patterns for - comprehensive VPN service behavior analysis and privacy-focused networking assessment. + VPN client configuration includes server endpoints, authentication methods, connection protocols, + kill switch settings, and privacy preferences. Subscription data tracks account information, + service features, and usage patterns for comprehensive VPN service behavior analysis. examples: - "NordVPN\\ServerList: us-chicago-123.nordvpn.com" @@ -48,6 +43,28 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "VPN client configuration does NOT prove active VPN usage occurred" + - "Server settings don't indicate successful connection or data transmission" + - "Kill switch configuration doesn't prove privacy protection was active" + - "Auto-connect settings don't indicate VPN was actually used" + - "VPN installation may be for legitimate privacy or business purposes" + - "Configuration doesn't prove malicious intent or illegal activity" + +correlation: + required_for_definitive_usage_proof: + - "Network traffic logs showing VPN tunnel establishment" + - "Event logs showing VPN client process execution and successful connections" + - "Network interface logs showing VPN adapter activation" + - "DNS query logs showing VPN-provided DNS server usage" + - "Application logs showing successful VPN authentication and data transmission" + + strengthens_evidence: + - "Process execution logs showing VPN client startup during suspicious activity" + - "Network connection logs showing traffic to VPN server endpoints" + - "File system artifacts showing VPN configuration files and logs" + - "Registry changes showing VPN client usage during investigation timeframes" + metadata: windows_versions: - "Windows 7" @@ -57,13 +74,13 @@ metadata: - "Windows 11" introduced: "VPN Client Applications" - criticality: "medium" investigation_types: - "behavioral-analysis" - "incident-response" - "timeline-analysis" + - "anti-forensics" tags: - "vpn" @@ -96,5 +113,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/network/wifi_profiles.yml b/artifacts/network-infrastructure/wifi_profiles.yml similarity index 63% rename from artifacts/network/wifi_profiles.yml rename to artifacts/network-infrastructure/wifi_profiles.yml index 5369360..c2da53a 100644 --- a/artifacts/network/wifi_profiles.yml +++ b/artifacts/network-infrastructure/wifi_profiles.yml @@ -1,6 +1,6 @@ title: "WiFi Network Profiles and Credentials" -category: "network" -description: "Stored WiFi profiles, SSIDs, security settings, connection history, and network location tracking" +category: "network-infrastructure" +description: "Stored WiFi profiles, SSIDs, security settings, and network location tracking" paths: - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles" @@ -9,24 +9,20 @@ paths: details: what: | - Windows stores comprehensive WiFi network profile information including SSID names, security - configurations, connection properties, network categories, and encrypted credentials for - automatic reconnection. Network signatures track connection history, first/last connection - times, and network identification data. Maintains both managed (domain) and unmanaged - (personal) network profiles with detailed connection metadata and location tracking. + Windows WiFi network profile information including SSID names, security configurations, + connection properties, network categories, and encrypted credentials for automatic + reconnection. Network signatures track connection history and first/last connection times. forensic_value: | Critical for establishing user location patterns, travel history, and potential access points visited by suspects. WiFi profiles reveal geographic movement, lifestyle patterns, and association with specific locations or organizations. Can indicate compromise through rogue - access points, unauthorized network access, or reveal investigative leads about suspect - activities and whereabouts during relevant time periods. + access points or reveal investigative leads about suspect activities. structure: | - Network profiles stored with GUIDs as registry keys containing ProfileName (SSID), Description - (network details), Managed status (domain vs. personal), Category (public/private/domain), - DateCreated and DateLastConnected as FILETIME values. Signatures maintain network identification - data and connection correlation information for comprehensive network tracking. + Network profiles stored with GUIDs as registry keys containing ProfileName (SSID), + Description (network details), Category (public/private/domain), DateCreated and + DateLastConnected as FILETIME values. Signatures maintain network identification data. examples: - "ProfileName: CoffeeShop_WiFi (Public WiFi access point)" @@ -52,6 +48,28 @@ details: - name: "Network Location Analysis Tools" description: "Specialized tools for geographic and location analysis from WiFi data" +limitations: + - "WiFi profiles do NOT prove user was physically present at network locations" + - "Network connection doesn't indicate duration of stay or actual internet usage" + - "SSID names can be spoofed or duplicated across different physical locations" + - "Connection timestamps don't prove sustained network activity" + - "Profile creation doesn't guarantee successful authentication or data transmission" + - "WiFi credentials don't indicate what online activities occurred" + - "Network categories may be incorrect or manually modified" + +correlation: + required_for_definitive_location_proof: + - "WiFi access point MAC addresses and GPS coordinates from wardriving databases" + - "Internet service provider logs showing IP address assignments at specific times" + - "Application usage logs showing online activity during WiFi connections" + - "Cell tower location data correlating with WiFi connection timestamps" + + strengthens_evidence: + - "Browser history showing location-specific searches or activities" + - "File system artifacts with timestamps correlating to WiFi connections" + - "GPS metadata in photos or documents created during WiFi connection periods" + - "Credit card or transaction records showing purchases at WiFi network locations" + metadata: windows_versions: - "Windows Vista" @@ -62,7 +80,6 @@ metadata: - "Windows 11" introduced: "Windows Vista" - criticality: "medium" investigation_types: @@ -108,5 +125,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/appcertdlls_injection.yml b/artifacts/persistence-methods/appcertdlls_injection.yml similarity index 72% rename from artifacts/persistence/appcertdlls_injection.yml rename to artifacts/persistence-methods/appcertdlls_injection.yml index f384e55..52353d7 100644 --- a/artifacts/persistence/appcertdlls_injection.yml +++ b/artifacts/persistence-methods/appcertdlls_injection.yml @@ -1,5 +1,5 @@ title: "AppCertDLLs DLL Injection Persistence" -category: "persistence" +category: "persistence-methods" description: "Application Certification DLL injection mechanism for persistent code execution in all processes" paths: @@ -10,21 +10,19 @@ details: AppCertDLLs registry key enables system-wide DLL injection by specifying Dynamic Link Libraries that Windows automatically loads into every process that calls CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessWithTokenW, and WinExec APIs. Originally designed for - application certification and compatibility testing, this mechanism provides powerful process - injection capabilities for both legitimate and malicious purposes. + application certification and compatibility testing. forensic_value: | Critical persistence mechanism used by advanced malware and sophisticated attackers for system-wide code injection. Shows evidence of persistent DLL injection affecting all processes, rootkit-like - behavior, and advanced evasion techniques. Extremely dangerous when abused as it provides - unrestricted access to all process memory spaces and can be used for credential theft, process - manipulation, and comprehensive system compromise. Essential for detecting advanced persistent threats. + behavior, and advanced evasion techniques. Provides unrestricted access to all process memory + spaces and can be used for credential theft and comprehensive system compromise. structure: | Registry key contains value names as arbitrary identifiers with REG_SZ data specifying full paths to DLL files. Each DLL listed will be automatically injected into every new process created on the system. Multiple DLLs can be specified with different value names. Empty - or non-existent key is normal; any entries should be investigated as potential malware. + or non-existent key is normal state. examples: - "CertificationDLL1: C:\\Windows\\System32\\legitimate_cert.dll (Legitimate certification DLL)" @@ -49,6 +47,28 @@ details: - name: "DLL Injection Detectors" description: "Specialized security tools for detecting DLL injection techniques" +limitations: + - "AppCertDLLs entries do NOT prove DLLs were successfully loaded or executed" + - "Registry configuration doesn't indicate successful process injection occurred" + - "DLL paths don't show malicious payloads were delivered or activated" + - "Persistence mechanism may be disabled by security software or policies" + - "DLL injection may fail due to missing files, permission issues, or compatibility problems" + - "Configuration doesn't reveal frequency or duration of malicious activity" + - "Registry entries don't prove system compromise or successful exploitation" + +correlation: + required_for_definitive_injection_proof: + - "Process execution logs showing DLL loading into target processes" + - "File system artifacts showing malicious DLL files at specified paths" + - "Memory dumps showing injected DLL code in process address spaces" + - "Network traffic logs showing command and control communications from injected processes" + + strengthens_evidence: + - "EDR logs showing suspicious process behavior after DLL injection" + - "Registry modifications made by injected DLL code" + - "File system changes indicating malicious DLL activity" + - "Event logs showing process creation and DLL loading events" + metadata: windows_versions: - "Windows NT" @@ -69,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT" - criticality: "high" investigation_types: @@ -123,5 +142,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "1.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/com_objects.yml b/artifacts/persistence-methods/com_objects.yml similarity index 69% rename from artifacts/persistence/com_objects.yml rename to artifacts/persistence-methods/com_objects.yml index f3351cc..2ff67cc 100644 --- a/artifacts/persistence/com_objects.yml +++ b/artifacts/persistence-methods/com_objects.yml @@ -1,5 +1,5 @@ title: "COM Objects and Class Registration" -category: "persistence" +category: "persistence-methods" description: "Component Object Model registration database for DLL hijacking and sophisticated persistence mechanisms" paths: @@ -14,22 +14,19 @@ details: Component Object Model (COM) registration database containing Class IDs (CLSIDs), Interface IDs (IIDs), Type Library information, and associated DLL/executable paths. Controls how applications instantiate and interact with COM objects, services, and - components. Includes InProcess and OutProcess server registrations, interface - definitions, and security descriptors for COM object access control. + components. Includes InProcess and OutProcess server registrations. forensic_value: | - COM hijacking is a sophisticated persistence technique where malware replaces - legitimate COM object paths with malicious DLLs. Shows unauthorized COM object - registration, DLL path modifications, potential hijacking attempts, and advanced - persistence mechanisms. Can indicate rootkit activity, advanced persistent threats, - and sophisticated malware families using COM for stealth and persistence. + COM hijacking is a sophisticated persistence technique where malware replaces legitimate + COM object paths with malicious DLLs. Shows unauthorized COM object registration, DLL + path modifications, and potential hijacking attempts. Can indicate rootkit activity, + advanced persistent threats, and sophisticated malware families using COM for stealth. structure: | - CLSID entries contain InprocServer32 (DLL path), LocalServer32 (EXE path), - ProgID associations, threading models, and interface definitions. Each CLSID - represents a unique COM class with specific functionality, implementation, - security attributes, and activation contexts. Binary data includes type - libraries, interface marshaling information, and security descriptors. + CLSID entries contain InprocServer32 (DLL path), LocalServer32 (EXE path), ProgID + associations, threading models, and interface definitions. Each CLSID represents a + unique COM class with specific functionality and implementation. Binary data includes + type libraries and interface marshaling information. examples: - "CLSID\\{00021401-0000-0000-C000-000000000046}\\InprocServer32: C:\\malware\\evil.dll" @@ -57,6 +54,28 @@ details: - name: "COM Hijack Toolkit" description: "Specialized tools for COM hijacking detection and analysis" +limitations: + - "COM object registration does NOT prove objects were instantiated or executed" + - "CLSID entries don't indicate successful COM object creation or usage" + - "DLL paths don't show malicious code was loaded or executed" + - "Registry hijacking may fail due to application-specific COM binding" + - "COM object modifications don't prove persistence mechanism was activated" + - "Threading model settings don't indicate actual COM object behavior" + - "Interface definitions don't show successful COM interface marshaling" + +correlation: + required_for_definitive_hijacking_proof: + - "Process execution logs showing COM object instantiation and DLL loading" + - "File system artifacts showing malicious DLL files at hijacked paths" + - "Application event logs showing COM object creation and interface usage" + - "Memory dumps showing hijacked COM objects in application address spaces" + + strengthens_evidence: + - "Registry modifications made by hijacked COM objects" + - "Network traffic initiated by malicious COM components" + - "File system changes indicating COM object activity" + - "Event logs showing COM+ application activity" + metadata: windows_versions: - "Windows 95" @@ -79,7 +98,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95 / Windows NT 3.5" - criticality: "high" investigation_types: @@ -133,5 +151,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/image_hijack.yml b/artifacts/persistence-methods/image_file_execution_options_hijack.yml similarity index 64% rename from artifacts/persistence/image_hijack.yml rename to artifacts/persistence-methods/image_file_execution_options_hijack.yml index fee3d5b..fbbc2a8 100644 --- a/artifacts/persistence/image_hijack.yml +++ b/artifacts/persistence-methods/image_file_execution_options_hijack.yml @@ -1,5 +1,5 @@ title: "Image File Execution Options Hijacking" -category: "persistence" +category: "persistence-methods" description: "Process hijacking through Image File Execution Options debugger attachment and execution redirection" paths: @@ -9,24 +9,23 @@ paths: details: what: | - Image File Execution Options (IFEO) allows attaching debuggers to processes, - modifying executable behavior, and controlling process execution parameters. - Originally designed for debugging and compatibility, malware abuses this mechanism - to hijack legitimate processes by setting malicious debuggers that run instead - of the target application. Includes GlobalFlag settings for debugging features. + Image File Execution Options (IFEO) allows attaching debuggers to processes, modifying + executable behavior, and controlling process execution parameters. Originally designed + for debugging and compatibility, malware abuses this mechanism to hijack legitimate + processes by setting malicious debuggers that run instead of the target application. forensic_value: | - Advanced persistence technique that hijacks legitimate processes through debugger - attachment. Shows unauthorized debugger attachments, process redirection, and - sophisticated evasion techniques. Critical for detecting advanced malware persistence, - accessibility tool hijacking (sticky keys attacks), and process replacement attacks. - Can indicate privilege escalation attempts and system compromise. + Advanced persistence technique that hijacks legitimate processes through debugger attachment. + Shows unauthorized debugger attachments, process redirection, and sophisticated evasion + techniques. Critical for detecting advanced malware persistence, accessibility tool hijacking + (sticky keys attacks), and process replacement attacks. Can indicate privilege escalation + attempts and system compromise. structure: | - Executable names as subkeys containing Debugger value pointing to malicious - executables, GlobalFlag for debugging options, VerifierDlls for application - verifier, and various debugging parameters. When the hijacked process starts, - the debugger runs instead with the original process as a parameter. + Executable names as subkeys containing Debugger value pointing to malicious executables, + GlobalFlag for debugging options, VerifierDlls for application verifier, and various + debugging parameters. When the hijacked process starts, the debugger runs instead with + the original process as a parameter. examples: - "sethc.exe\\Debugger: C:\\Windows\\System32\\cmd.exe (Sticky Keys hijack)" @@ -55,6 +54,28 @@ details: - name: "IFEO Manager" description: "Tools for managing and analyzing Image File Execution Options" +limitations: + - "IFEO debugger settings do NOT prove hijacked processes were actually executed" + - "Debugger attachments don't indicate successful process redirection occurred" + - "Registry entries don't show hijacked processes launched their debuggers" + - "IFEO settings may be overridden by security software or policies" + - "Process hijacking may fail due to missing debugger files or permission issues" + - "Accessibility tool hijacking doesn't prove unauthorized access occurred" + - "Configuration doesn't reveal frequency or success of hijacking attempts" + +correlation: + required_for_definitive_hijacking_proof: + - "Process execution logs showing debugger execution instead of target processes" + - "File system artifacts showing malicious debugger files at specified paths" + - "Event logs showing process creation events for hijacked executables" + - "Memory dumps showing debugger processes running in place of targets" + + strengthens_evidence: + - "Registry modifications made by hijacked processes or debuggers" + - "Network traffic initiated by malicious debuggers" + - "File system changes indicating debugger activity" + - "Application event logs showing failed target process launches" + metadata: windows_versions: - "Windows NT 3.5" @@ -76,7 +97,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.5" - criticality: "high" investigation_types: @@ -130,5 +150,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/lsa_packages.yml b/artifacts/persistence-methods/lsa_security_packages.yml similarity index 62% rename from artifacts/persistence/lsa_packages.yml rename to artifacts/persistence-methods/lsa_security_packages.yml index 73bc59f..54fa436 100644 --- a/artifacts/persistence/lsa_packages.yml +++ b/artifacts/persistence-methods/lsa_security_packages.yml @@ -1,5 +1,5 @@ title: "LSA Security Packages and Authentication" -category: "persistence" +category: "persistence-methods" description: "Local Security Authority packages, authentication providers, and credential interception mechanisms" paths: @@ -9,24 +9,22 @@ paths: details: what: | - Local Security Authority (LSA) configuration including security packages, - authentication providers, notification packages, and security support providers - that handle authentication, credential management, and security functions. - Controls authentication protocols, password filtering, and security event - notifications throughout the Windows authentication subsystem. + Local Security Authority (LSA) configuration including security packages, authentication + providers, notification packages, and security support providers that handle authentication, + credential management, and security functions. Controls authentication protocols, password + filtering, and security event notifications throughout the Windows authentication subsystem. forensic_value: | - Advanced persistence technique where malware registers malicious DLLs as LSA - security packages, providing persistent access with SYSTEM privileges and the - ability to intercept authentication credentials, passwords, and security tokens. - Can indicate sophisticated attacks targeting authentication infrastructure, - credential harvesting operations, and advanced persistent threats. + Advanced persistence technique where malware registers malicious DLLs as LSA security packages, + providing persistent access with SYSTEM privileges and the ability to intercept authentication + credentials, passwords, and security tokens. Can indicate sophisticated attacks targeting + authentication infrastructure, credential harvesting operations, and advanced persistent threats. structure: | - LSA settings include Security Packages (authentication DLLs), Authentication - Packages (logon process DLLs), Notification Packages (password change notifications), - SecurityProviders (SSP/AP DLLs), and Bounds checking configuration stored as - REG_MULTI_SZ values with system security implications. + LSA settings include Security Packages (authentication DLLs), Authentication Packages (logon + process DLLs), Notification Packages (password change notifications), SecurityProviders + (SSP/AP DLLs), and Bounds checking configuration stored as REG_MULTI_SZ values with system + security implications. examples: - "Security Packages: kerberos, msv1_0, schannel, wdigest, tspkg, pku2u" @@ -53,6 +51,28 @@ details: url: "https://github.com/gentilkiwi/mimikatz" description: "Credential extraction tool that can identify LSA modifications" +limitations: + - "LSA package registration does NOT prove packages were loaded or executed" + - "Security provider entries don't indicate successful credential interception" + - "Authentication package modifications don't show logon process exploitation" + - "Notification package settings don't prove password change monitoring occurred" + - "LSA configuration changes may be blocked by security policies or protections" + - "Malicious packages may fail to load due to signature verification or compatibility issues" + - "Registry entries don't show frequency or success of credential harvesting attempts" + +correlation: + required_for_definitive_exploitation_proof: + - "Process execution logs showing LSA service loading malicious packages" + - "File system artifacts showing malicious LSA DLL files at specified paths" + - "Memory dumps showing injected code in LSASS process address space" + - "Network traffic logs showing credential theft or authentication bypass" + + strengthens_evidence: + - "Event logs showing LSA service restarts or authentication failures" + - "Registry modifications made by malicious LSA packages" + - "File system changes indicating credential harvesting activity" + - "Security audit logs showing unusual authentication patterns" + metadata: windows_versions: - "Windows NT 3.1" @@ -73,12 +93,12 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: - "persistence-analysis" - "privilege-escalation" + - "credential-theft" - "malware-analysis" - "incident-response" @@ -126,5 +146,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/print_processors.yml b/artifacts/persistence-methods/print_processors.yml similarity index 63% rename from artifacts/persistence/print_processors.yml rename to artifacts/persistence-methods/print_processors.yml index 4f90db2..e29376a 100644 --- a/artifacts/persistence/print_processors.yml +++ b/artifacts/persistence-methods/print_processors.yml @@ -1,5 +1,5 @@ title: "Print Processors and Print Monitor DLLs" -category: "persistence" +category: "persistence-methods" description: "Print system DLL persistence through processors, monitors, and print providers" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows print system configuration including print processors, print monitors, - print providers, and printer-specific settings. These DLLs are loaded by the - spooler service (spoolsv.exe) and provide opportunities for persistent code - execution with SYSTEM privileges. Controls print job processing, printer - communication, and network printing functionality through registered DLL components. + Windows print system configuration including print processors, print monitors, print providers, + and printer-specific settings. These DLLs are loaded by the spooler service (spoolsv.exe) and + provide opportunities for persistent code execution with SYSTEM privileges. Controls print job + processing, printer communication, and network printing functionality. forensic_value: | - Advanced persistence technique where malware registers malicious DLLs as print - processors, monitors, or providers. Shows unauthorized print system modifications - that can provide persistent access with high privileges. Can indicate sophisticated - attacks targeting the print spooler service for privilege escalation, lateral - movement, or persistent access to critical systems. + Advanced persistence technique where malware registers malicious DLLs as print processors, + monitors, or providers. Shows unauthorized print system modifications that can provide persistent + access with high privileges. Can indicate sophisticated attacks targeting the print spooler + service for privilege escalation, lateral movement, or persistent access to critical systems. structure: | - Print processors and monitors registered with DLL paths, entry points, and - configuration data. Each entry specifies the DLL location, functionality provided, - environment (Windows/NT x86/x64), and load order. Print providers handle network - printing, authentication, and print queue management with specific capabilities. + Print processors and monitors registered with DLL paths, entry points, and configuration data. + Each entry specifies the DLL location, functionality provided, environment (Windows/NT x86/x64), + and load order. Print providers handle network printing, authentication, and print queue + management with specific capabilities. examples: - "Processors\\winprint\\Driver: C:\\Windows\\System32\\winprint.dll" @@ -54,6 +52,28 @@ details: - name: "Print Spooler Analysis Tools" description: "Specialized tools for print system security and configuration analysis" +limitations: + - "Print system configuration does NOT prove DLLs were loaded or executed" + - "Registered processors don't indicate print jobs were processed through malicious code" + - "Monitor registrations don't show printer communication was intercepted" + - "Provider entries don't prove network printing services were compromised" + - "Print spooler may not load registered DLLs due to service issues or restrictions" + - "Malicious print components may fail due to missing dependencies or permissions" + - "Configuration doesn't reveal frequency or success of print-based persistence" + +correlation: + required_for_definitive_exploitation_proof: + - "Process execution logs showing print spooler service loading malicious DLLs" + - "File system artifacts showing malicious print DLL files at registered paths" + - "Print spooler event logs showing DLL loading and print job processing" + - "Memory dumps showing injected code in spoolsv.exe process" + + strengthens_evidence: + - "Event logs showing print spooler service restarts or failures" + - "Network traffic logs showing print-related communications" + - "Registry modifications made by malicious print components" + - "File system changes indicating print system exploitation" + metadata: windows_versions: - "Windows NT 3.1" @@ -74,7 +94,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "medium" investigation_types: @@ -128,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/registry_run_keys.yml b/artifacts/persistence-methods/registry_run_keys.yml similarity index 65% rename from artifacts/persistence/registry_run_keys.yml rename to artifacts/persistence-methods/registry_run_keys.yml index 4a18c65..70ba929 100644 --- a/artifacts/persistence/registry_run_keys.yml +++ b/artifacts/persistence-methods/registry_run_keys.yml @@ -1,5 +1,5 @@ title: "Registry Run Keys Persistence" -category: "persistence" +category: "persistence-methods" description: "Autostart programs via Run and RunOnce registry keys - primary malware persistence method" paths: @@ -12,22 +12,22 @@ paths: details: what: | - Registry locations where Windows automatically executes programs during user logon - or system startup. HKLM keys run for all users with SYSTEM privileges, HKCU keys - run for specific users with user privileges. RunOnce keys execute once then delete - themselves. RunServices keys exist on older Windows versions for service startup. + Registry locations where Windows automatically executes programs during user logon or system + startup. HKLM keys run for all users with SYSTEM privileges, HKCU keys run for specific users + with user privileges. RunOnce keys execute once then delete themselves. RunServices keys exist + on older Windows versions for service startup. forensic_value: | - Primary persistence mechanism used by malware, backdoors, and legitimate software. - Shows what programs automatically start with Windows. Critical for identifying - unauthorized persistence and malware installation. Can reveal privilege escalation - attempts and system compromise indicators. Essential for incident response triage. + Primary persistence mechanism used by malware, backdoors, and legitimate software. Shows what + programs automatically start with Windows. Critical for identifying unauthorized persistence + and malware installation. Can reveal privilege escalation attempts and system compromise + indicators. Essential for incident response triage. structure: | - Value names are arbitrary (often program names), value data contains executable - paths with optional command line arguments. REG_SZ or REG_EXPAND_SZ format. - Can include quotes around paths, environment variables, and various command line switches. - Entries beginning with asterisk (*) are hidden from System Configuration Utility. + Value names are arbitrary (often program names), value data contains executable paths with + optional command line arguments. REG_SZ or REG_EXPAND_SZ format. Can include quotes around + paths, environment variables, and various command line switches. Entries beginning with + asterisk (*) are hidden from System Configuration Utility. examples: - "SecurityHealthSystray: C:\\Windows\\System32\\SecurityHealthSystray.exe" @@ -51,6 +51,27 @@ details: url: "https://github.com/palantir/windows-event-forwarding" description: "Convert Autoruns output to Windows Event Log format" +limitations: + - "Run key entries do NOT prove programs were successfully executed" + - "Registry persistence doesn't indicate successful program launch or completion" + - "Autostart configurations may be blocked by security software or policies" + - "RunOnce entries don't show if programs executed before key deletion" + - "Hidden entries (asterisk prefix) don't prove stealth execution occurred" + - "Registry entries don't reveal frequency, duration, or success of program execution" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing successful program startup from Run keys" + - "File system artifacts showing program files at specified paths" + - "Windows Event Logs showing process creation events (Event ID 4688)" + - "Application event logs showing successful program initialization" + + strengthens_evidence: + - "UserAssist entries showing program execution statistics" + - "ShimCache entries showing program access attempts" + - "Registry modifications made by executed programs" + - "Network traffic initiated by autostart programs" + metadata: windows_versions: - "Windows 95" @@ -72,7 +93,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "high" investigation_types: @@ -125,5 +145,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/scheduled_tasks.yml b/artifacts/persistence-methods/scheduled_tasks.yml similarity index 65% rename from artifacts/persistence/scheduled_tasks.yml rename to artifacts/persistence-methods/scheduled_tasks.yml index 00979cb..6a26084 100644 --- a/artifacts/persistence/scheduled_tasks.yml +++ b/artifacts/persistence-methods/scheduled_tasks.yml @@ -1,5 +1,5 @@ title: "Scheduled Tasks Registry Entries" -category: "persistence" +category: "persistence-methods" description: "Registry traces of scheduled tasks used for persistence, automation, and system maintenance" paths: @@ -11,24 +11,22 @@ paths: details: what: | - Windows Task Scheduler maintains registry entries for all scheduled tasks, - including task metadata, execution history, hierarchical organization, and - trigger information. Tracks both system tasks and user-created automation - with detailed execution statistics, security contexts, and scheduling patterns. - Registry data complements XML task definitions stored in the file system. + Windows Task Scheduler maintains registry entries for all scheduled tasks, including task + metadata, execution history, hierarchical organization, and trigger information. Tracks both + system tasks and user-created automation with detailed execution statistics, security contexts, + and scheduling patterns. Registry data complements XML task definitions. forensic_value: | - Scheduled tasks are a common persistence mechanism for malware and legitimate - automation. Shows task creation times, execution patterns, authors, and can reveal - malicious automation, unauthorized access schedules, or privilege escalation attempts. - Critical for identifying advanced persistent threats (APTs) that use legitimate - Windows scheduling for persistence and lateral movement. + Scheduled tasks are a common persistence mechanism for malware and legitimate automation. + Shows task creation times, execution patterns, authors, and can reveal malicious automation, + unauthorized access schedules, or privilege escalation attempts. Critical for identifying + advanced persistent threats (APTs) that use legitimate Windows scheduling for persistence. structure: | - Tasks subkey contains binary task metadata including Author, Date, Path, URI, - Actions, and execution history. Tree subkey maintains hierarchical task organization - with folder structures. Binary data includes GUID identifiers, security descriptors, - trigger definitions, and execution statistics in proprietary Microsoft format. + Tasks subkey contains binary task metadata including Author, Date, Path, URI, Actions, and + execution history. Tree subkey maintains hierarchical task organization with folder structures. + Binary data includes GUID identifiers, security descriptors, trigger definitions, and + execution statistics in proprietary Microsoft format. examples: - "Author: Microsoft Corporation" @@ -59,6 +57,28 @@ details: url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" description: "Microsoft Sysinternals tool including scheduled task enumeration" +limitations: + - "Scheduled task registry entries do NOT prove tasks were executed" + - "Task metadata doesn't indicate successful task completion or failure" + - "Execution history may not reflect actual program execution or results" + - "Task scheduling doesn't prove scheduled programs were found or functional" + - "Registry entries don't show task output, errors, or runtime behavior" + - "Task triggers don't indicate trigger conditions were met or actions taken" + - "Security context doesn't prove tasks ran with specified privileges" + +correlation: + required_for_definitive_execution_proof: + - "Task Scheduler event logs showing actual task execution (Event ID 100, 101)" + - "Process execution logs showing scheduled programs launching" + - "File system artifacts showing task output, logs, or modified files" + - "Windows Event Logs showing process creation from Task Scheduler service" + + strengthens_evidence: + - "Registry modifications made by executed scheduled tasks" + - "Network traffic initiated by scheduled programs" + - "File system changes indicating scheduled task activity" + - "Application event logs showing scheduled program execution" + metadata: windows_versions: - "Windows Vista" @@ -74,7 +94,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista (Task Scheduler 2.0)" - criticality: "high" investigation_types: @@ -128,5 +147,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/screensaver.yml b/artifacts/persistence-methods/screensaver.yml similarity index 61% rename from artifacts/persistence/screensaver.yml rename to artifacts/persistence-methods/screensaver.yml index e2db1b3..48ed514 100644 --- a/artifacts/persistence/screensaver.yml +++ b/artifacts/persistence-methods/screensaver.yml @@ -1,5 +1,5 @@ title: "Screensaver Persistence and Configuration" -category: "persistence" +category: "persistence-methods" description: "Screensaver hijacking for persistence, execution triggers, and idle-time activation" paths: @@ -9,24 +9,22 @@ paths: details: what: | - Windows screensaver configuration including screensaver executable path, - timeout settings, password protection, and screensaver-related security - settings. Screensavers run with user privileges when activated and provide - an execution mechanism triggered by system idle time. Configuration also - includes screensaver selection, display properties, and activation policies. + Windows screensaver configuration including screensaver executable path, timeout settings, + password protection, and screensaver-related security settings. Screensavers run with user + privileges when activated and provide an execution mechanism triggered by system idle time. + Configuration includes screensaver selection, display properties, and activation policies. forensic_value: | - Malware can replace legitimate screensavers with malicious executables for - persistence that triggers during idle periods. Shows unauthorized screensaver - modifications that provide execution opportunities when systems are unattended. - Can indicate sophisticated persistence mechanisms that activate during low-activity - periods to avoid detection and maintain covert access to compromised systems. + Malware can replace legitimate screensavers with malicious executables for persistence that + triggers during idle periods. Shows unauthorized screensaver modifications that provide + execution opportunities when systems are unattended. Can indicate sophisticated persistence + mechanisms that activate during low-activity periods to avoid detection. structure: | - Desktop settings include SCRNSAVE.EXE (screensaver path), ScreenSaveTimeOut - (activation time in seconds), ScreenSaverIsSecure (password protection), - ScreenSaveActive (enabled/disabled), and various screensaver-specific - configuration parameters stored as REG_SZ values in Control Panel\\Desktop. + Desktop settings include SCRNSAVE.EXE (screensaver path), ScreenSaveTimeOut (activation time + in seconds), ScreenSaverIsSecure (password protection), ScreenSaveActive (enabled/disabled), + and various screensaver-specific configuration parameters stored as REG_SZ values in + Control Panel\\Desktop. examples: - "SCRNSAVE.EXE: C:\\Windows\\System32\\Mystify.scr" @@ -52,6 +50,28 @@ details: - name: "ScreenSaverView" description: "Tools for analyzing and monitoring screensaver configurations" +limitations: + - "Screensaver configuration does NOT prove screensaver was activated or executed" + - "Executable path settings don't indicate successful screensaver launch" + - "Timeout settings don't show system idle time was reached" + - "Malicious screensaver paths don't prove unauthorized execution occurred" + - "Screensaver activation may be prevented by user activity or power settings" + - "Registry settings don't reveal frequency or duration of screensaver execution" + - "Password protection settings don't indicate screensaver lock/unlock events" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing screensaver program startup" + - "File system artifacts showing screensaver executable files at configured paths" + - "Windows Event Logs showing process creation for screensaver programs" + - "User activity logs showing system idle periods matching screensaver timeouts" + + strengthens_evidence: + - "Registry modifications made by executed screensaver programs" + - "Network traffic initiated by malicious screensaver executables" + - "File system changes indicating screensaver program activity" + - "Power management logs showing display state changes" + metadata: windows_versions: - "Windows 95" @@ -67,7 +87,6 @@ metadata: - "Windows 11" introduced: "Windows 95" - criticality: "low" investigation_types: @@ -119,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/shell_extensions.yml b/artifacts/persistence-methods/shell_extensions.yml similarity index 64% rename from artifacts/persistence/shell_extensions.yml rename to artifacts/persistence-methods/shell_extensions.yml index 2953068..6958317 100644 --- a/artifacts/persistence/shell_extensions.yml +++ b/artifacts/persistence-methods/shell_extensions.yml @@ -1,5 +1,5 @@ title: "Shell Extensions and Context Menu Handlers" -category: "persistence" +category: "persistence-methods" description: "Shell extensions, context menu handlers, and Explorer integration points for persistence" paths: @@ -11,24 +11,22 @@ paths: details: what: | - Windows shell extensions provide integration points for third-party applications - to extend Explorer functionality through context menu handlers, property sheet - handlers, icon overlay handlers, drag-and-drop handlers, and shell namespace - extensions. These COM-based extensions execute within Explorer.exe process - and provide rich integration with Windows shell operations and user interactions. + Windows shell extensions provide integration points for third-party applications to extend + Explorer functionality through context menu handlers, property sheet handlers, icon overlay + handlers, drag-and-drop handlers, and shell namespace extensions. These COM-based extensions + execute within Explorer.exe process and provide rich integration with Windows shell operations. forensic_value: | - Malware often uses shell extensions for persistence and to intercept file operations, - monitor user activity, or provide covert access points. Shows unauthorized context - menu additions, suspicious file handlers, and potential execution points triggered - by normal user file interactions. Can indicate sophisticated malware that integrates - deeply with Windows shell for stealth persistence and user activity monitoring. + Malware often uses shell extensions for persistence and to intercept file operations, monitor + user activity, or provide covert access points. Shows unauthorized context menu additions, + suspicious file handlers, and potential execution points triggered by normal user file + interactions. Can indicate sophisticated malware that integrates deeply with Windows shell. structure: | - CLSID identifiers as values pointing to registered shell extension components - with specific handler types. Context menu handlers organized by file types, - locations (files, directories, drives), and shell objects. Approved extensions - list shows which extensions are permitted to load in Explorer process. + CLSID identifiers as values pointing to registered shell extension components with specific + handler types. Context menu handlers organized by file types, locations (files, directories, + drives), and shell objects. Approved extensions list shows which extensions are permitted + to load in Explorer process. examples: - "Approved\\{00021500-0000-0000-C000-000000000046}: WinRAR Shell Extension" @@ -56,6 +54,28 @@ details: - name: "Shell Extension Manager" description: "Tools for managing and analyzing Windows shell extensions" +limitations: + - "Shell extension registration does NOT prove extensions were loaded or executed" + - "Context menu handler entries don't indicate menu interactions occurred" + - "Approved extension listings don't show extensions were actively used" + - "CLSID references don't prove successful COM object instantiation" + - "Shell extension loading may be blocked by security policies or restrictions" + - "Malicious extensions may fail due to missing dependencies or permission issues" + - "Registry entries don't reveal frequency or success of shell extension activation" + +correlation: + required_for_definitive_usage_proof: + - "Process execution logs showing Explorer.exe loading shell extension DLLs" + - "File system artifacts showing shell extension DLL files at registered paths" + - "Windows Event Logs showing COM object creation for shell extensions" + - "User activity logs showing context menu usage or file operations" + + strengthens_evidence: + - "Registry modifications made by shell extension code" + - "Network traffic initiated by malicious shell extensions" + - "File system changes indicating shell extension activity" + - "Memory dumps showing shell extension code in Explorer process" + metadata: windows_versions: - "Windows 95" @@ -78,7 +98,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "medium" investigation_types: @@ -131,5 +150,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/shell_folders.yml b/artifacts/persistence-methods/shell_folders.yml similarity index 64% rename from artifacts/persistence/shell_folders.yml rename to artifacts/persistence-methods/shell_folders.yml index 04143ef..c7b8d99 100644 --- a/artifacts/persistence/shell_folders.yml +++ b/artifacts/persistence-methods/shell_folders.yml @@ -1,5 +1,5 @@ title: "Shell Folders and Startup Locations" -category: "persistence" +category: "persistence-methods" description: "Special folder paths including Startup folder locations, user directories, and system folder redirection" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows defines special folder locations including Desktop, Documents, Startup, - system directories, and user profile paths. The Startup folder automatically - executes programs placed in it during user logon, making it a critical persistence - location. User Shell Folders contain environment variables and can be redirected - to alternative locations including network shares for roaming profiles. + Windows defines special folder locations including Desktop, Documents, Startup, system + directories, and user profile paths. The Startup folder automatically executes programs + placed in it during user logon, making it a critical persistence location. User Shell + Folders contain environment variables and can be redirected to alternative locations. forensic_value: | - Shows persistence through Startup folder modification, reveals customized system - folder locations, indicates folder redirection for data hiding or collection, - and can reveal attempts to redirect critical folders to attacker-controlled - locations. Critical for identifying file-based persistence mechanisms and - understanding user environment modifications that could facilitate data theft. + Shows persistence through Startup folder modification, reveals customized system folder + locations, indicates folder redirection for data hiding or collection, and can reveal + attempts to redirect critical folders to attacker-controlled locations. Critical for + identifying file-based persistence mechanisms and understanding user environment modifications. structure: | - Named values containing folder paths as REG_SZ or REG_EXPAND_SZ data with - environment variable expansion. Common values include Startup folders (user - and system-wide), Desktop, Personal (Documents), and system directories. - Paths can be redirected to unusual locations including network shares. + Named values containing folder paths as REG_SZ or REG_EXPAND_SZ data with environment + variable expansion. Common values include Startup folders (user and system-wide), Desktop, + Personal (Documents), and system directories. Paths can be redirected to unusual locations + including network shares. examples: - "Startup: C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" @@ -53,6 +51,28 @@ details: - name: "Group Policy Management" description: "Group Policy tools for folder redirection analysis" +limitations: + - "Shell folder configuration does NOT prove files were placed in or executed from folders" + - "Startup folder paths don't indicate programs were launched from startup locations" + - "Folder redirection settings don't show redirected folders were accessed or used" + - "Network folder paths don't prove network resources were accessible or utilized" + - "Modified folder locations don't indicate malicious usage or file operations" + - "Environment variable paths don't show successful variable expansion or resolution" + - "Registry entries don't reveal what files exist in configured folders" + +correlation: + required_for_definitive_persistence_proof: + - "File system artifacts showing executable files in startup folders" + - "Process execution logs showing programs launching from startup locations" + - "Windows Event Logs showing process creation from startup folder programs" + - "ShellBags showing folder navigation to modified folder locations" + + strengthens_evidence: + - "Recent documents showing files accessed from redirected folders" + - "Network traffic initiated by programs in startup folders" + - "Registry modifications made by startup folder programs" + - "File system changes indicating startup folder program activity" + metadata: windows_versions: - "Windows 95" @@ -75,7 +95,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "medium" investigation_types: @@ -129,5 +148,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/system/startup_programs.yml b/artifacts/persistence-methods/startup_programs.yml similarity index 67% rename from artifacts/system/startup_programs.yml rename to artifacts/persistence-methods/startup_programs.yml index ff6ba24..375666d 100644 --- a/artifacts/system/startup_programs.yml +++ b/artifacts/persistence-methods/startup_programs.yml @@ -1,5 +1,5 @@ title: "Startup Programs and Load Order" -category: "system" +category: "persistence-methods" description: "System startup configuration, boot order, service group dependencies, and early loading programs" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows startup sequence configuration encompasses boot execution programs, service group - load order, session manager settings, subsystem initialization, and early program loading - that occurs during system startup before user logon. Controls critical system component - initialization, driver loading sequences, and system service dependencies for proper - system startup and operation in multi-user and enterprise environments. + Windows startup sequence configuration encompasses boot execution programs, service group + load order, session manager settings, subsystem initialization, and early program loading + that occurs during system startup before user logon. Controls critical system component + initialization and driver loading sequences for proper system startup. forensic_value: | - Critical for identifying system-level persistence mechanisms that load before security - software and user-level defenses. Shows boot-time malware installation, startup sequence - modifications indicating system compromise, and early-loading persistence techniques used - by advanced threats. Essential for detecting rootkits, boot sector malware, and sophisticated - persistence mechanisms that establish control during system initialization phases. + Critical for identifying system-level persistence mechanisms that load before security + software and user-level defenses. Shows boot-time malware installation, startup sequence + modifications indicating system compromise, and early-loading persistence techniques used + by advanced threats. Essential for detecting rootkits and sophisticated persistence mechanisms. structure: | - Session Manager contains BootExecute (programs run during boot), SubSystems (core system - components), ExcludeFromKnownDlls (DLL exclusions), and CriticalDeviceTimeout (hardware - initialization timeouts). ServiceGroupOrder defines service loading sequence priorities - for proper dependency management and system stability during startup operations. + Session Manager contains BootExecute (programs run during boot), SubSystems (core system + components), ExcludeFromKnownDlls (DLL exclusions), and CriticalDeviceTimeout (hardware + initialization timeouts). ServiceGroupOrder defines service loading sequence priorities + for proper dependency management during startup operations. examples: - "BootExecute: autocheck autochk *, C:\\\\malware\\\\startup.exe (Malicious boot program)" @@ -52,6 +50,28 @@ details: - name: "Service Control Manager" description: "Windows service management and dependency analysis tools" +limitations: + - "Startup configuration does NOT prove malicious programs were executed during boot" + - "Boot execution settings don't indicate successful malware loading or operation" + - "Service group order modifications may be for legitimate system optimization" + - "Subsystem configuration changes don't prove unauthorized system modifications" + - "DLL exclusions may be required for legitimate application compatibility" + - "Session manager settings don't indicate actual boot sequence execution results" + +correlation: + required_for_definitive_persistence_proof: + - "Event logs showing actual boot execution and service loading events" + - "Process execution logs showing malicious programs launched during startup" + - "File system artifacts showing malicious executable files in startup locations" + - "Registry changes showing startup configuration modifications during attack periods" + - "System logs showing successful boot sequence completion with modified startup programs" + + strengthens_evidence: + - "Boot sector analysis showing low-level persistence mechanisms" + - "Event logs showing service loading failures or unexpected program execution during boot" + - "File modifications in startup directories during configuration change periods" + - "Registry changes in related persistence locations during startup configuration modifications" + metadata: windows_versions: - "Windows NT" @@ -72,7 +92,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -121,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/execution/services.yml b/artifacts/persistence-methods/windows_service_configurations.yml similarity index 64% rename from artifacts/execution/services.yml rename to artifacts/persistence-methods/windows_service_configurations.yml index 756ba60..bc365b3 100644 --- a/artifacts/execution/services.yml +++ b/artifacts/persistence-methods/windows_service_configurations.yml @@ -1,5 +1,5 @@ title: "Windows Services Configuration and Execution" -category: "execution" +category: "persistence-methods" description: "Windows service definitions, startup configurations, dependencies, and service-based persistence mechanisms" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows Services registry contains comprehensive service configuration including executable - paths, startup types, dependencies, security descriptors, service accounts, group memberships, - and failure recovery actions. Controls system service behavior, automatic startup sequences, - service isolation, and inter-service dependencies for complete Windows service management - and execution control across system and user contexts. + Windows Services registry contains service configuration including executable paths, + startup types, dependencies, security descriptors, service accounts, and failure recovery actions. + Controls system service behavior, automatic startup sequences, and service isolation. forensic_value: | - Critical for identifying malicious service installation, service hijacking attacks, and - unauthorized service modifications used for persistence. Shows evidence of malware services, - suspicious service configurations, privilege escalation through service accounts, and - service-based backdoors. Essential for detecting advanced persistent threats that abuse - legitimate service infrastructure for stealth and persistence. + Critical for identifying malicious service installation, service hijacking attacks, and unauthorized + service modifications used for persistence. Shows evidence of malware services, suspicious service + configurations, privilege escalation through service accounts, and service-based backdoors. structure: | - Individual service subkeys contain ImagePath (executable), Start (startup type), Type - (service type), ObjectName (service account), DependOnService (dependencies), and - ServiceSidType (security identifier type). Svchost configuration manages service - hosting for shared processes with isolation and security boundaries. + Individual service subkeys contain ImagePath (executable), Start (startup type), Type (service type), + ObjectName (service account), DependOnService (dependencies), and ServiceSidType (security identifier type). + Svchost configuration manages service hosting for shared processes. examples: - "Services\\MaliciousService\\ImagePath: C:\\malware\\backdoor.exe" @@ -53,6 +48,29 @@ details: - name: "Service Security Analyzer" description: "Tools for analyzing service security configurations and permissions" +limitations: + - "Service registration does NOT prove service was started or executed" + - "Disabled services (Start=4) will not execute automatically" + - "Service configuration may be created by installers without immediate activation" + - "Manual start services (Start=3) require explicit user or system initiation" + - "Service dependencies may prevent service from starting even if configured" + - "Administrative privileges are required to install services" + - "Service accounts may lack necessary permissions for execution" + - "Service failure actions may not trigger if dependencies fail" + +correlation: + required_for_definitive_execution_proof: + - "Windows Event Logs (Service Control Manager Event IDs 7034, 7035, 7036)" + - "Process execution logs showing service executable launches" + - "Service startup and shutdown event logs" + - "System boot logs showing automatic service startup" + + strengthens_evidence: + - "File system artifacts showing service executable activity" + - "Network connections initiated by service processes" + - "Registry modifications made by service during execution" + - "Application logs showing service-specific operations" + metadata: windows_versions: - "Windows NT 3.1" @@ -73,7 +91,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -123,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/winlogon_userinit.yml b/artifacts/persistence-methods/winlogon_userinit.yml similarity index 62% rename from artifacts/persistence/winlogon_userinit.yml rename to artifacts/persistence-methods/winlogon_userinit.yml index 8e37ef4..f001626 100644 --- a/artifacts/persistence/winlogon_userinit.yml +++ b/artifacts/persistence-methods/winlogon_userinit.yml @@ -1,5 +1,5 @@ title: "Winlogon and UserInit Persistence" -category: "persistence" +category: "persistence-methods" description: "Windows logon process hijacking through Userinit, Shell, and notification package modifications" paths: @@ -9,24 +9,24 @@ paths: details: what: | - Winlogon registry keys control the Windows logon process including which - programs run during user logon, desktop shell initialization, and system - notification handlers. Userinit and Shell values specify programs that execute - automatically when users log in. Notify subkeys register DLLs for logon/logoff - event notifications. These mechanisms are fundamental to Windows startup process. + Winlogon registry keys control the Windows logon process including which programs run during + user logon, desktop shell initialization, and system notification handlers. Userinit and + Shell values specify programs that execute automatically when users log in. Notify subkeys + register DLLs for logon/logoff event notifications. These mechanisms are fundamental to + Windows startup process. forensic_value: | - Critical persistence mechanism used by advanced malware and sophisticated attackers. - Shows unauthorized modifications to the logon process that ensure malware execution - on every user login. Difficult to detect and highly effective for maintaining access. - Can indicate system compromise, privilege escalation, and advanced persistent threats. - Essential for identifying rootkits and advanced malware families. + Critical persistence mechanism used by advanced malware and sophisticated attackers. Shows + unauthorized modifications to the logon process that ensure malware execution on every user + login. Difficult to detect and highly effective for maintaining access. Can indicate system + compromise, privilege escalation, and advanced persistent threats. Essential for identifying + rootkits and advanced malware families. structure: | - Key values include Userinit (programs run during logon initialization), - Shell (desktop shell program), Notify DLL registrations, and system policies. - Values contain comma-separated executable paths with parameters. Binary data - may include security descriptors and policy enforcement mechanisms. + Key values include Userinit (programs run during logon initialization), Shell (desktop shell + program), Notify DLL registrations, and system policies. Values contain comma-separated + executable paths with parameters. Binary data may include security descriptors and policy + enforcement mechanisms. examples: - "Userinit: C:\\Windows\\system32\\userinit.exe,C:\\malware\\backdoor.exe" @@ -54,6 +54,28 @@ details: - name: "LogonExpert" description: "Specialized tools for Windows logon process analysis" +limitations: + - "Winlogon configuration does NOT prove modified programs were executed" + - "Userinit settings don't indicate successful program launch during logon" + - "Shell modifications don't show desktop environment was compromised" + - "Notification package entries don't prove DLLs were loaded or executed" + - "Logon process hijacking may be blocked by security software or policies" + - "Malicious programs may fail due to missing files, dependencies, or permissions" + - "Registry entries don't reveal frequency or success of logon process exploitation" + +correlation: + required_for_definitive_hijacking_proof: + - "Process execution logs showing modified logon programs launching" + - "File system artifacts showing malicious programs at configured paths" + - "Windows Event Logs showing logon process execution (Event ID 4624)" + - "Memory dumps showing injected code in winlogon.exe process" + + strengthens_evidence: + - "Registry modifications made by hijacked logon processes" + - "Network traffic initiated by malicious logon programs" + - "File system changes indicating logon process exploitation" + - "User account activity correlating with logon process modifications" + metadata: windows_versions: - "Windows NT 3.1" @@ -75,7 +97,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -129,5 +150,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/persistence/wmi_events.yml b/artifacts/persistence-methods/wmi_event_subscription.yml similarity index 60% rename from artifacts/persistence/wmi_events.yml rename to artifacts/persistence-methods/wmi_event_subscription.yml index e837d23..43ae3aa 100644 --- a/artifacts/persistence/wmi_events.yml +++ b/artifacts/persistence-methods/wmi_event_subscription.yml @@ -1,33 +1,31 @@ title: "WMI Event Subscriptions" -category: "persistence" +category: "persistence-methods" description: "Windows Management Instrumentation event-based persistence through filters, consumers, and bindings" paths: - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/subscription" - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/cimv2" - - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\//./root/default" + - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\Root\\Subscription" + - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\Root\\cimv2" + - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\ESS\\Root\\default" - "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM" details: what: | - WMI Event Subscriptions create persistent event-driven triggers that execute - code when specific system events occur. Consists of Event Filters (WQL queries - defining trigger conditions), Event Consumers (actions to execute), and - Filter-to-Consumer Bindings (links between filters and consumers). Provides - sophisticated, legitimate-seeming persistence that survives reboots and security software. + WMI Event Subscriptions create persistent event-driven triggers that execute code when specific + system events occur. Consists of Event Filters (WQL queries defining trigger conditions), + Event Consumers (actions to execute), and Filter-to-Consumer Bindings (links between filters + and consumers). Provides sophisticated, legitimate-seeming persistence that survives reboots. forensic_value: | - Advanced persistence technique used by sophisticated malware, APT groups, and - advanced persistent threats. Difficult to detect and remove through traditional - means. Shows evidence of advanced persistence mechanisms that survive system - reboots, security software removal, and system cleaning. Critical for identifying - advanced threat actors and sophisticated malware families. + Advanced persistence technique used by sophisticated malware, APT groups, and advanced persistent + threats. Difficult to detect and remove through traditional means. Shows evidence of advanced + persistence mechanisms that survive system reboots, security software removal, and system + cleaning. Critical for identifying advanced threat actors and sophisticated malware families. structure: | - Registry entries for WMI repository objects including __EventFilter (trigger - conditions), __EventConsumer (execution actions), and __FilterToConsumerBinding - (relationships) classes. Binary data contains serialized WMI objects with - WQL queries, PowerShell payloads, executable paths, and scheduling information. + Registry entries for WMI repository objects including __EventFilter (trigger conditions), + __EventConsumer (execution actions), and __FilterToConsumerBinding (relationships) classes. + Binary data contains serialized WMI objects with WQL queries, PowerShell payloads, executable + paths, and scheduling information. examples: - "__EventFilter Name: MaliciousProcessMonitor" @@ -53,6 +51,28 @@ details: - name: "WMI Event Monitor" description: "Real-time WMI event monitoring and subscription analysis tools" +limitations: + - "WMI event subscriptions do NOT prove events were triggered or consumers executed" + - "Event filter queries don't indicate trigger conditions were met" + - "Consumer configurations don't show successful payload execution" + - "Binding relationships don't prove event processing occurred" + - "WMI repository corruption may prevent event subscription functionality" + - "Event consumers may fail due to missing dependencies or permission restrictions" + - "Registry entries don't reveal frequency or success of event-driven execution" + +correlation: + required_for_definitive_execution_proof: + - "WMI event logs showing actual event filter triggering and consumer execution" + - "Process execution logs showing programs launched by WMI event consumers" + - "File system artifacts showing WMI consumer output, logs, or created files" + - "Windows Event Logs showing WMI provider activity and object creation" + + strengthens_evidence: + - "Registry modifications made by executed WMI event consumers" + - "Network traffic initiated by WMI consumer payloads" + - "File system changes indicating WMI event consumer activity" + - "PowerShell execution logs correlating with WMI script consumers" + metadata: windows_versions: - "Windows 2000" @@ -72,7 +92,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 2000" - criticality: "high" investigation_types: @@ -126,5 +145,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/amcache.yml b/artifacts/program-execution/amcache.yml similarity index 58% rename from artifacts/execution/amcache.yml rename to artifacts/program-execution/amcache.yml index 0b6d40c..c8cd2bc 100644 --- a/artifacts/execution/amcache.yml +++ b/artifacts/program-execution/amcache.yml @@ -1,5 +1,5 @@ title: "AmCache Application Activity Cache" -category: "execution" +category: "program-execution" description: "Advanced execution tracking with SHA1 hashes, file metadata, and compilation timestamps" paths: @@ -7,23 +7,20 @@ paths: details: what: | - AmCache.hve is a registry hive that replaced RecentFileCache.bcf in Windows 8+. - It tracks metadata about executables, installed applications, and drivers including - file paths, SHA1 hashes, compilation times, and detailed program information. - The database contains InventoryApplication, InventoryApplicationFile, and - InventoryDriverBinary entries with rich forensic metadata. + AmCache.hve registry hive tracks metadata about executables, installed applications, + and drivers including file paths, SHA1 hashes, compilation times, and program information. + Contains InventoryApplication, InventoryApplicationFile, and InventoryDriverBinary entries. forensic_value: | - Critical for proving file presence on system even if deleted. Contains SHA1 hashes - for malware identification via VirusTotal. Shows compilation timestamps useful for - correlating with threat actor campaigns. More detailed than ShimCache with richer metadata. - Can identify renamed executables and track software installation patterns. + Critical for proving file presence on system even if deleted. Contains SHA1 hashes + for malware identification and compilation timestamps for threat actor correlation. + More detailed than ShimCache with richer metadata for identifying renamed executables + and tracking software installation patterns. structure: | - Registry hive file containing multiple keys: InventoryApplication (installed programs), - InventoryApplicationFile (executables), InventoryDriverBinary (drivers). Each entry - includes FileID (SHA1 hash), file path, size, compilation time, program details, - and binary version information stored in structured data format. + Registry hive containing multiple keys with structured data format. Each entry includes + FileID (SHA1 hash), file path, size, compilation time, program details, and binary + version information stored with rich forensic metadata. examples: - "Path: C:\\Users\\user\\Desktop\\malware.exe" @@ -49,6 +46,28 @@ details: url: "https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape" description: "Artifact collection and parsing framework" +limitations: + - "AmCache entry does NOT prove program execution - only shows file was present on system" + - "File metadata can be modified or spoofed by malware authors" + - "SHA1 hashes may not be unique across all possible files" + - "Compilation timestamps can be altered to evade detection" + - "File presence doesn't indicate when or if the file was actually executed" + - "Renamed executables may retain original metadata from before renaming" + - "Administrative installation may populate AmCache without user execution" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs (Event ID 4688) showing actual program launch" + - "Prefetch files (.pf) with execution counters and file references" + - "Application event logs showing successful program startup" + - "EDR/monitoring tool process execution logs" + + strengthens_evidence: + - "ShimCache entries with matching file paths and timestamps" + - "UserAssist showing user-initiated program launches" + - "Network connections initiated by programs with matching hashes" + - "File modifications with timestamps correlating to program activity" + metadata: windows_versions: - "Windows 8" @@ -61,7 +80,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 8" - criticality: "high" investigation_types: @@ -69,6 +87,7 @@ metadata: - "timeline-analysis" - "incident-response" - "behavioral-analysis" + - "program-execution" tags: - "execution" @@ -109,5 +128,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/app_paths.yml b/artifacts/program-execution/app_exec_paths.yml similarity index 63% rename from artifacts/execution/app_paths.yml rename to artifacts/program-execution/app_exec_paths.yml index 63b36c2..e968ab3 100644 --- a/artifacts/execution/app_paths.yml +++ b/artifacts/program-execution/app_exec_paths.yml @@ -1,5 +1,5 @@ title: "Application Execution Paths" -category: "execution" +category: "program-execution" description: "Registered application paths for command-line execution without full path specification" paths: @@ -8,24 +8,19 @@ paths: details: what: | - Windows maintains registry entries that allow applications to be executed - from command line, Run dialog, or Start menu search without specifying full paths. - Contains default executable paths, working directories, and PATH environment - additions for registered applications. Enables convenient application launching - and provides application location information for Windows shell operations. + Windows registry entries allowing applications to be executed from command line, + Run dialog, or Start menu search without specifying full paths. Contains default + executable paths, working directories, and PATH environment additions for registered applications. forensic_value: | - Shows applications registered for easy execution, can reveal malware that - registers itself for convenient access from command line or Run dialog, - indicates software installation patterns, and shows potential execution - methods. Useful for understanding available execution vectors, identifying - malicious applications that register for easy access, and tracking application installations. + Shows applications registered for easy execution and can reveal malware that registers + itself for convenient access. Useful for understanding available execution vectors, + identifying malicious applications that register for easy access, and tracking software installations. structure: | - Application names as subkeys with default value pointing to full executable - path. Optional Path value specifies additional directories to add to PATH - environment variable during execution. DropTarget value indicates drag-and-drop - support. Values stored as REG_SZ with optional REG_EXPAND_SZ for environment variables. + Application names as subkeys with default value pointing to full executable path. + Optional Path value specifies additional directories. DropTarget value indicates + drag-and-drop support. Values stored as REG_SZ with optional REG_EXPAND_SZ. examples: - "notepad.exe\\(Default): C:\\Windows\\System32\\notepad.exe" @@ -52,6 +47,27 @@ details: url: "https://www.nirsoft.net/utils/app_paths_view.html" description: "NirSoft tool for viewing registered application paths" +limitations: + - "App Paths registration does NOT prove application was executed" + - "Path entries may be created by installers without user execution" + - "Malicious entries may be mixed with legitimate application registrations" + - "Registration enables convenient execution but doesn't indicate actual usage" + - "Administrative privileges can create system-wide entries without user knowledge" + - "Path registration may persist after application uninstallation" + - "DropTarget settings don't indicate drag-and-drop operations occurred" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing actual program launch via registered paths" + - "Command-line history showing usage of registered application names" + - "Event logs confirming successful program startup through App Paths" + - "UserAssist entries showing user-initiated launches of registered applications" + + strengthens_evidence: + - "ShimCache or AmCache entries with matching executable paths" + - "Recent documents created by applications launched via App Paths" + - "File system artifacts showing application activity after launch" + metadata: windows_versions: - "Windows 95" @@ -74,13 +90,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "low" investigation_types: - "malware-analysis" - "behavioral-analysis" - "incident-response" + - "program-execution" tags: - "execution" @@ -125,5 +141,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/appcompat_cache.yml b/artifacts/program-execution/appcompat_cache.yml similarity index 77% rename from artifacts/execution/appcompat_cache.yml rename to artifacts/program-execution/appcompat_cache.yml index afad52d..b1dbfe1 100644 --- a/artifacts/execution/appcompat_cache.yml +++ b/artifacts/program-execution/appcompat_cache.yml @@ -1,5 +1,5 @@ title: "Application Compatibility Cache (ShimCache)" -category: "execution" +category: "program-execution" description: "Application execution tracking with file paths, timestamps, and execution indicators across Windows versions" paths: @@ -51,6 +51,31 @@ details: url: "https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape" description: "Artifact collection framework with ShimCache modules" +limitations: + - "Does NOT prove program execution - only shows file was accessed for compatibility analysis" + - "Triggered by file operations: copy, move, scan, or simple existence checks" + - "Antivirus and security tools populate cache without user execution" + - "File browsing and preview generation can create entries" + - "Network file access may create entries without local execution" + - "System maintenance and indexing operations populate cache" + - "Execution flag varies by Windows version and may not be reliable" + - "Cannot distinguish between successful execution vs. failed launch attempts" + +correlation: + required_for_definitive_execution_proof: + - "Windows Event Logs (Process Creation 4688, Process Termination 4689)" + - "Prefetch files (.pf) with execution counters and file references" + - "EDR/monitoring tool process execution logs" + - "Application event logs showing successful startup" + + strengthens_evidence: + - "AmCache entries with matching SHA1 hashes and metadata" + - "UserAssist showing user-initiated launches" + - "Recent documents created by the application" + - "Registry keys modified by application runtime" + - "Network connections initiated by the process" + - "File modifications with matching timestamps" + metadata: windows_versions: - "Windows XP" @@ -68,7 +93,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: @@ -121,4 +145,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" + version: "3.0" diff --git a/artifacts/execution/app_compat_flags.yml b/artifacts/program-execution/appcompat_flags.yml similarity index 64% rename from artifacts/execution/app_compat_flags.yml rename to artifacts/program-execution/appcompat_flags.yml index b962fe7..dfe5d89 100644 --- a/artifacts/execution/app_compat_flags.yml +++ b/artifacts/program-execution/appcompat_flags.yml @@ -1,5 +1,5 @@ title: "Application Compatibility Flags and Settings" -category: "execution" +category: "program-execution" description: "Application compatibility flags, shim layers, and compatibility database entries for legacy application support" paths: @@ -10,24 +10,20 @@ paths: details: what: | - Application Compatibility Flags control compatibility shims, layers, and fixes - applied to applications for legacy support. Includes compatibility settings, - execution flags, application-specific fixes, and shim database installations. - Manages Windows compatibility infrastructure for running older applications - on newer operating systems through various compatibility mechanisms. + Application Compatibility Flags control compatibility shims and layers applied to + applications for legacy support. Includes execution flags, application-specific fixes, + and shim database installations for running older applications on newer operating systems. forensic_value: | - Shows applications that required compatibility fixes, reveals execution history - through compatibility layer application, and can indicate malware attempting - to masquerade as legacy applications or bypass security measures. May reveal - unauthorized compatibility database installations or malicious shim applications - designed to evade detection or modify application behavior. + Shows applications requiring compatibility fixes and reveals execution history through + compatibility layer application. Can indicate malware masquerading as legacy applications + or attempting to bypass security measures. May reveal unauthorized compatibility database + installations or malicious shim applications designed to evade detection. structure: | - Layers subkey contains compatibility layer definitions and application assignments. - CompatTelRunner tracks compatibility telemetry execution. InstalledSDB manages - custom shim database installations. Application names as subkeys contain specific - compatibility flags, layer assignments, and execution parameters. + Layers subkey contains compatibility layer definitions and application assignments. + CompatTelRunner tracks compatibility telemetry execution. InstalledSDB manages custom + shim database installations. Application names as subkeys contain specific compatibility flags. examples: - "Layers\\application.exe: WIN98 WINXPSP3 256COLOR" @@ -38,7 +34,7 @@ details: - "ExecutionAlias\\notepad.exe: C:\\Windows\\System32\\notepad.exe" - "Custom\\suspicious_app.exe: ELEVATECREATEPROCESS" - "ProcessHistory\\malware.exe: compatibility_check_timestamp" - + tools: - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" @@ -53,6 +49,27 @@ details: - name: "ShimView" description: "Tools for analyzing installed compatibility shims and databases" +limitations: + - "Compatibility layer assignment does NOT prove program execution occurred" + - "Shim database installation may be legitimate enterprise software compatibility" + - "Compatibility settings can be applied by administrators without user execution" + - "CompatTelRunner timestamps show telemetry collection, not program execution" + - "Custom shim databases may be installed but never actively used" + - "Compatibility flags may be set proactively for programs never launched" + - "Layer assignments may persist after application uninstallation" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing actual program launch with compatibility layers" + - "Application event logs confirming successful program startup" + - "File system artifacts showing program execution and operation" + - "ShimCache or AmCache entries with matching application paths" + + strengthens_evidence: + - "Registry Run keys showing persistence through compatibility mechanisms" + - "UserAssist entries showing user-initiated launches with compatibility layers" + - "Application logs showing compatibility layer activation during execution" + metadata: windows_versions: - "Windows XP" @@ -70,13 +87,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: - "malware-analysis" - "behavioral-analysis" - "incident-response" + - "program-execution" tags: - "execution" @@ -121,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/git.yml b/artifacts/program-execution/git.yml similarity index 57% rename from artifacts/execution/git.yml rename to artifacts/program-execution/git.yml index 009afed..20d9ca5 100644 --- a/artifacts/execution/git.yml +++ b/artifacts/program-execution/git.yml @@ -1,5 +1,5 @@ title: "Git Source Code Management Configuration" -category: "execution" +category: "program-execution" description: "Git version control system configuration, repository history, and development activity tracking" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Git stores version control configuration including user credentials, repository - settings, remote URLs, and development workflow preferences. Registry tracks - installation paths, global configuration, credential helpers, and integration - settings for comprehensive source code management analysis and development - activity tracking in software projects and collaborative programming environments. + Git version control configuration including user credentials, repository settings, + remote URLs, and development workflow preferences. Registry tracks installation paths, + global configuration, credential helpers, and integration settings. forensic_value: | - Critical for investigating software development activities, source code access, - intellectual property theft, and evidence of programming work. Shows evidence - of repository cloning, commit activity, remote server access, and can reveal - unauthorized code access, stolen source code, insider development activities, - and software project involvement in corporate or personal development scenarios. + Critical for investigating software development activities, source code access, and + intellectual property theft. Shows evidence of repository cloning, commit activity, + and can reveal unauthorized code access, stolen source code, or insider development activities. structure: | - Git configuration includes installation directories, user identity settings, - credential storage methods, repository paths, and integration preferences. - Global configuration data shows default behavior, authentication methods, - and remote repository access patterns for comprehensive development activity analysis. + Git configuration includes installation directories, user identity settings, credential + storage methods, repository paths, and integration preferences. Global configuration + shows default behavior and authentication methods. examples: - "InstallPath: C:\\Program Files\\Git" @@ -49,6 +44,27 @@ details: - name: "Git Credential Manager" description: "Secure credential storage for Git operations" +limitations: + - "Git registry configuration does NOT prove actual repository usage or code commits" + - "Installation presence doesn't indicate active development work" + - "User credentials may be configured without accessing any repositories" + - "Repository URLs in configuration don't prove successful cloning or access" + - "Credential helpers may store authentication without actual Git operations" + - "Configuration may be set by automated tools or installers" + - "Recent repository lists may be populated without successful operations" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing git.exe or related Git tool launches" + - "File system artifacts showing Git repositories and commit history" + - "Network logs showing connections to Git servers and repositories" + - "Git log files showing actual commit, push, and pull operations" + + strengthens_evidence: + - "Recent documents showing code files accessed for development" + - "SSH key files and authentication artifacts for Git operations" + - "Command-line history showing Git commands executed" + metadata: windows_versions: - "Windows 7" @@ -58,13 +74,13 @@ metadata: - "Windows 11" introduced: "Git for Windows" - criticality: "medium" investigation_types: - - "malware-analysis" - "data-exfiltration" - "behavioral-analysis" + - "insider-threat" + - "program-execution" tags: - "git" @@ -100,5 +116,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/muicache.yml b/artifacts/program-execution/muicache.yml similarity index 64% rename from artifacts/execution/muicache.yml rename to artifacts/program-execution/muicache.yml index efe4503..6ab8ce0 100644 --- a/artifacts/execution/muicache.yml +++ b/artifacts/program-execution/muicache.yml @@ -1,5 +1,5 @@ title: "MUICache Application Names" -category: "execution" +category: "program-execution" description: "Multilingual User Interface cache tracking executed programs with friendly display names" paths: @@ -8,24 +8,20 @@ paths: details: what: | - Windows MUICache stores the friendly display names of executed programs - for multilingual interface support. Tracks applications that have been - run by caching their localized names, descriptions, and version information. - Helps Windows display proper application names in various UI contexts regardless - of system language settings. + Windows MUICache stores friendly display names of executed programs for multilingual + interface support. Tracks applications that have been run by caching their localized + names, descriptions, and version information for proper UI display regardless of system language. forensic_value: | - Provides evidence of program execution with human-readable application names. - Complements other execution artifacts by showing what programs were actually - launched with their proper names. Useful for identifying renamed executables, - suspicious programs masquerading as legitimate software, and portable applications. - Can reveal execution of programs that may not appear in other execution artifacts. + Provides evidence of program execution with human-readable application names. + Complements other execution artifacts by showing what programs were actually launched + with their proper names. Useful for identifying renamed executables, suspicious programs + masquerading as legitimate software, and portable applications. structure: | - Full executable paths as value names with corresponding friendly names as - REG_SZ value data. Includes both system programs and user applications. - Cache persists across reboots and system updates. Path format includes - drive letters and full directory structures for precise program identification. + Full executable paths as value names with corresponding friendly names as REG_SZ value data. + Includes both system programs and user applications. Cache persists across reboots and + system updates. Path format includes drive letters and full directory structures. examples: - "C:\\Windows\\System32\\cmd.exe: Command Prompt" @@ -53,6 +49,28 @@ details: url: "https://www.nirsoft.net/utils/computer_activity_view.html" description: "Comprehensive computer activity viewer including MUICache" +limitations: + - "MUICache entry does NOT prove program execution - only shows Windows accessed executable for name lookup" + - "Entries created by file browsing, antivirus scanning, or system indexing without execution" + - "Windows Explorer preview pane and file property access populate cache" + - "Administrative tools and system utilities may populate cache during maintenance" + - "Portable applications may not create entries if not launched through Windows shell" + - "Cache may be cleared by system cleanup utilities or manual registry editing" + - "Renamed executables may retain original application display names" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs (Event ID 4688) showing actual program launch" + - "Prefetch files (.pf) with execution counters and file references" + - "Application event logs confirming successful program startup" + - "UserAssist entries showing user-initiated program launches" + + strengthens_evidence: + - "ShimCache entries with matching executable paths and timestamps" + - "AmCache entries with matching file hashes and metadata" + - "Recent documents created by applications with MUICache entries" + - "File modification timestamps correlating with cache population" + metadata: windows_versions: - "Windows XP" @@ -70,7 +88,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: @@ -78,6 +95,7 @@ metadata: - "behavioral-analysis" - "timeline-analysis" - "incident-response" + - "program-execution" tags: - "execution" @@ -122,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/powershell_policy.yml b/artifacts/program-execution/powershell_execution_policy.yml similarity index 64% rename from artifacts/execution/powershell_policy.yml rename to artifacts/program-execution/powershell_execution_policy.yml index 0f999d5..094e8a2 100644 --- a/artifacts/execution/powershell_policy.yml +++ b/artifacts/program-execution/powershell_execution_policy.yml @@ -1,5 +1,5 @@ title: "PowerShell Execution Policy and Configuration" -category: "execution" +category: "program-execution" description: "PowerShell execution policies, module logging, script execution settings, and security configurations" paths: @@ -11,24 +11,20 @@ paths: details: what: | - PowerShell execution policy settings control script execution permissions, - logging configuration, transcription settings, module loading policies, and - security restrictions for PowerShell script execution. Determines security - restrictions, audit capabilities, and execution environments for PowerShell - across different user contexts and security zones. + PowerShell execution policy settings control script execution permissions, logging configuration, + transcription settings, module loading policies, and security restrictions. Determines security + restrictions, audit capabilities, and execution environments across different user contexts. forensic_value: | - Shows if PowerShell security was weakened to allow malicious script execution, - reveals logging configuration that may hide or expose malicious activity, - indicates PowerShell usage patterns, and can reveal attempts to bypass security - controls. Critical for analyzing script-based attacks, PowerShell Empire usage, - and advanced persistent threats using PowerShell for persistence and lateral movement. + Shows if PowerShell security was weakened to allow malicious script execution, reveals logging + configuration that may hide or expose malicious activity, and indicates PowerShell usage patterns. + Critical for analyzing script-based attacks, PowerShell Empire usage, and advanced persistent + threats using PowerShell for persistence and lateral movement. structure: | - ExecutionPolicy values control script execution (Restricted, AllSigned, RemoteSigned, - Unrestricted, Bypass), logging settings for ScriptBlock and Module logging, - transcription paths, constrained language mode settings, and AMSI bypass attempts - stored as REG_SZ and REG_DWORD values with policy inheritance hierarchies. + ExecutionPolicy values control script execution (Restricted, AllSigned, RemoteSigned, Unrestricted, Bypass), + logging settings for ScriptBlock and Module logging, transcription paths, constrained language mode settings, + and AMSI bypass attempts stored as REG_SZ and REG_DWORD values with policy inheritance hierarchies. examples: - "ExecutionPolicy: Unrestricted (allows all scripts)" @@ -55,6 +51,29 @@ details: - name: "PowerShell Security Scanner" description: "Tools for analyzing PowerShell security configuration and threats" +limitations: + - "Execution policy settings do NOT prevent script execution - can be bypassed with command-line parameters" + - "Policy changes don't indicate what scripts were actually executed" + - "Logging configuration may be disabled after malicious activity" + - "PowerShell can be launched with -ExecutionPolicy Bypass parameter" + - "Constrained Language Mode can be bypassed with various techniques" + - "AMSI bypass methods can disable security monitoring" + - "Transcription logs may be deleted or corrupted by attackers" + - "Module logging settings don't capture all PowerShell activity" + +correlation: + required_for_definitive_execution_proof: + - "PowerShell Event Logs (Event IDs 4103, 4104, 4105, 4106) showing actual script execution" + - "Process execution logs showing PowerShell.exe launches with command-line parameters" + - "PowerShell transcription logs showing executed commands and scripts" + - "Application event logs showing PowerShell module loading and execution" + + strengthens_evidence: + - "File system artifacts showing PowerShell script files and modules" + - "Network logs showing connections initiated by PowerShell processes" + - "Registry modifications made by PowerShell execution" + - "Scheduled task logs showing PowerShell-based automation" + metadata: windows_versions: - "Windows Vista" @@ -70,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "PowerShell 1.0 (2006)" - criticality: "high" investigation_types: @@ -79,6 +97,7 @@ metadata: - "incident-response" - "behavioral-analysis" - "lateral-movement" + - "program-execution" tags: - "execution" @@ -124,5 +143,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/prefetch_settings.yml b/artifacts/program-execution/prefetch_settings.yml similarity index 64% rename from artifacts/execution/prefetch_settings.yml rename to artifacts/program-execution/prefetch_settings.yml index b87f639..d081de7 100644 --- a/artifacts/execution/prefetch_settings.yml +++ b/artifacts/program-execution/prefetch_settings.yml @@ -1,5 +1,5 @@ title: "Prefetch Service Configuration" -category: "execution" +category: "program-execution" description: "Prefetch service settings, SuperFetch/SysMain behavior, and execution optimization configuration" paths: @@ -9,24 +9,19 @@ paths: details: what: | - Windows Prefetch service configuration that controls prefetch file creation, - SuperFetch/SysMain service behavior, ReadyBoot optimization, and application - launch optimization. Determines what execution evidence is preserved in prefetch - files and how the system optimizes application startup performance through - predictive loading and caching mechanisms. + Windows Prefetch service configuration controls prefetch file creation, SuperFetch/SysMain + service behavior, ReadyBoot optimization, and application launch optimization. Determines + what execution evidence is preserved in prefetch files. forensic_value: | - Shows if prefetch was disabled to hide execution evidence, reveals prefetch - configuration that affects forensic artifact availability, and indicates - system optimization settings that impact investigation capabilities. Critical - for understanding why prefetch evidence may be missing and assessing the - completeness of execution artifact preservation on the system. + Shows if prefetch was disabled to hide execution evidence, reveals prefetch configuration + that affects forensic artifact availability, and indicates system optimization settings that + impact investigation capabilities. Critical for understanding why prefetch evidence may be missing. structure: | - EnablePrefetcher controls prefetch functionality (0=disabled, 1=application, - 2=boot, 3=both). EnableSuperfetch controls intelligent memory management. - SysMain service settings control advanced prefetch and memory optimization. - MaxPrefetchFiles limits the number of prefetch files retained on the system. + EnablePrefetcher controls prefetch functionality (0=disabled, 1=application, 2=boot, 3=both). + EnableSuperfetch controls intelligent memory management. SysMain service settings control + advanced prefetch and memory optimization. MaxPrefetchFiles limits retention. examples: - "EnablePrefetcher: 3 (Applications and boot prefetch enabled)" @@ -54,6 +49,27 @@ details: - name: "Prefetch Analyzer" description: "Specialized tools for prefetch configuration and forensic analysis" +limitations: + - "Prefetch configuration settings do NOT prove any applications were executed" + - "Enabled prefetch doesn't guarantee prefetch files were created for all executions" + - "Disabled prefetch may be legitimate performance optimization, not evidence hiding" + - "SysMain service status doesn't indicate what applications were optimized" + - "MaxPrefetchFiles setting affects retention but doesn't show execution history" + - "Boot tracing settings don't prove boot-time program execution" + - "Service configuration may be changed multiple times without logging" + +correlation: + required_for_definitive_execution_proof: + - "Actual prefetch files (.pf) in Windows\\Prefetch directory" + - "Process execution logs showing programs launched" + - "File system artifacts showing application execution evidence" + - "Service Control Manager logs showing SysMain service activity" + + strengthens_evidence: + - "Timeline analysis correlating prefetch settings changes with execution patterns" + - "System performance logs showing prefetch optimization effects" + - "Boot logs showing ReadyBoot optimization activity" + metadata: windows_versions: - "Windows XP" @@ -71,13 +87,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: - "timeline-analysis" - "incident-response" - - "malware-analysis" + - "anti-forensics" + - "program-execution" tags: - "execution" @@ -122,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/run_dialog_history.yml b/artifacts/program-execution/run_dialog_history.yml similarity index 70% rename from artifacts/user-activity/run_dialog_history.yml rename to artifacts/program-execution/run_dialog_history.yml index 0f000d1..ba50a17 100644 --- a/artifacts/user-activity/run_dialog_history.yml +++ b/artifacts/program-execution/run_dialog_history.yml @@ -1,5 +1,5 @@ title: "Run Dialog Command History" -category: "user-activity" +category: "program-execution" description: "Windows Run dialog (Win+R) command history with executed commands and administrative tool access" paths: @@ -10,20 +10,19 @@ details: Windows Run dialog maintains a Most Recently Used (MRU) list of commands executed through the Run interface (Win+R keyboard shortcut). Tracks command execution history including system utilities, administrative tools, file paths, network locations, and custom commands - entered by users for quick access to Windows functionality and programs. + entered by users for quick access to Windows functionality. forensic_value: | Extremely valuable for detecting administrative tool usage, malicious command execution, - system reconnaissance activities, and attempts to access restricted utilities. Shows - evidence of command-line tool usage, administrative access attempts, network resource - enumeration, and potential privilege escalation activities. Critical for understanding - user intent and technical knowledge level during investigations. + system reconnaissance activities, and attempts to access restricted utilities. Shows evidence + of command-line tool usage, administrative access attempts, and potential privilege escalation + activities. Critical for understanding user intent and technical knowledge level. structure: | Sequential lettered values (a, b, c, etc.) containing executed commands as REG_SZ data. MRUList value shows execution chronology with most recent commands listed first using letter indicators. Commands include full paths, parameters, network locations, and - built-in Windows utilities with complete command syntax preservation. + built-in Windows utilities. examples: - "a: cmd (Command Prompt execution)" @@ -50,6 +49,28 @@ details: - name: "Windows Run Dialog History Cleaner" description: "Tools for clearing Run dialog history and privacy management" +limitations: + - "Run dialog history does NOT prove commands were successfully executed" + - "Command entries don't indicate successful program launch or completion" + - "Network paths don't prove successful authentication or resource access" + - "Administrative tool entries don't show actual system configuration changes" + - "Command parameters don't indicate successful operation or output" + - "MRU order doesn't show command execution frequency or duration" + - "Suspicious executables don't prove malicious activity occurred" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing actual program startup and activity" + - "Windows Event Logs showing command execution (Event ID 4688)" + - "Application event logs showing successful program launch" + - "Command-line audit logs showing actual command execution" + + strengthens_evidence: + - "UserAssist entries showing program execution statistics" + - "ShimCache entries showing program access attempts" + - "Registry keys modified by executed administrative tools" + - "File system artifacts showing program activity and output" + metadata: windows_versions: - "Windows 95" @@ -64,10 +85,10 @@ metadata: - "Windows 11" introduced: "Windows 95" - criticality: "high" investigation_types: + - "program-execution" - "malware-analysis" - "privilege-escalation" - "behavioral-analysis" @@ -113,5 +134,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/userassist.yml b/artifacts/program-execution/userassist.yml similarity index 55% rename from artifacts/execution/userassist.yml rename to artifacts/program-execution/userassist.yml index a0c8fde..d698675 100644 --- a/artifacts/execution/userassist.yml +++ b/artifacts/program-execution/userassist.yml @@ -1,5 +1,5 @@ title: "UserAssist Execution Statistics" -category: "execution" +category: "program-execution" description: "ROT13-encoded execution statistics including run count and last execution time" paths: @@ -7,22 +7,20 @@ paths: details: what: | - Windows UserAssist tracks program execution statistics for GUI applications - accessed through Windows Explorer, desktop, and Start menu. Stores execution - count, last run time, session data, and focus time encoded with ROT13 obfuscation. - Different GUIDs track different application categories and usage patterns. + Windows UserAssist tracks program execution statistics for GUI applications accessed through + Windows Explorer, desktop, and Start menu. Stores execution count, last run time, session data, + and focus time encoded with ROT13 obfuscation. Different GUIDs track different application categories. forensic_value: | - Provides detailed execution statistics showing how many times programs were run - and when they were last executed. Critical for establishing user behavior patterns, - program usage frequency, and timeline analysis of application execution. Can prove - user interaction with specific applications and reveal usage of portable/malicious tools. + Provides detailed execution statistics showing how many times programs were run and when they + were last executed. Critical for establishing user behavior patterns, program usage frequency, + and timeline analysis of application execution. Can prove user interaction with specific applications + and reveal usage of portable/malicious tools. structure: | - ROT13-encoded executable paths as value names with binary data containing - execution count, last run time (FILETIME), session ID, and focus time. - Multiple subkeys for different program categories and Windows versions. - Data structure varies between Windows versions with consistent core elements. + ROT13-encoded executable paths as value names with binary data containing execution count, + last run time (FILETIME), session ID, and focus time. Multiple subkeys for different program + categories and Windows versions. Data structure varies between Windows versions with consistent core elements. examples: - "Encoded: HRZR_PGYFRFFVAT\\{CEBTENF}\\Count" @@ -33,7 +31,7 @@ details: - "Focus Time: 120000ms" - "Session ID: 2" - "ROT13 Example: abgrCnq.rkr -> notepad.exe" - + tools: - name: "UserAssistView" url: "https://www.nirsoft.net/utils/userassist_view.html" @@ -47,6 +45,29 @@ details: - name: "UserAssist Parser" description: "Custom Python/PowerShell scripts for bulk analysis" +limitations: + - "UserAssist only tracks GUI applications launched through Windows Explorer shell" + - "Command-line executed programs do not appear in UserAssist" + - "Programs launched via Run dialog, batch files, or scripts may not be tracked" + - "Portable applications on removable media may not create persistent entries" + - "UserAssist can be disabled through registry modification or Group Policy" + - "Data corruption can occur causing inaccurate counts or timestamps" + - "Focus time calculations may be unreliable on systems with multiple monitors" + - "Administrative privileges may be required to access other users' UserAssist data" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs (Event ID 4688) confirming actual program launches" + - "Prefetch files (.pf) with execution counters validating program runs" + - "Application event logs showing successful program startup and operation" + - "File system artifacts showing program activity and file modifications" + + strengthens_evidence: + - "ShimCache entries with matching executable paths and access times" + - "AmCache entries with matching file hashes and metadata" + - "Recent documents and jump lists showing application usage" + - "MUICache entries with matching application display names" + metadata: windows_versions: - "Windows XP" @@ -58,7 +79,6 @@ metadata: - "Windows 11" introduced: "Windows XP" - criticality: "high" investigation_types: @@ -66,6 +86,7 @@ metadata: - "behavioral-analysis" - "incident-response" - "malware-analysis" + - "program-execution" tags: - "execution" @@ -107,5 +128,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/visual_stuido_code.yml b/artifacts/program-execution/visual_stuido_code.yml similarity index 56% rename from artifacts/execution/visual_stuido_code.yml rename to artifacts/program-execution/visual_stuido_code.yml index 411470b..887bb7e 100644 --- a/artifacts/execution/visual_stuido_code.yml +++ b/artifacts/program-execution/visual_stuido_code.yml @@ -1,33 +1,26 @@ title: "Visual Studio Code Editor Configuration" -category: "execution" +category: "program-execution" description: "VS Code editor settings, extensions, workspace history, and development environment configuration" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{771FD6B0-FA20-440A-A002-3B3BAC16DC50}_is1" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{EA457B21-F73E-494C-ACAB-524FDE069978}_is1" - "HKCU\\Software\\Classes\\vscode" - "HKLM\\SOFTWARE\\Classes\\vscode" details: what: | - Visual Studio Code stores development environment configuration including workspace - settings, installed extensions, recent projects, debugging configurations, and - integrated terminal preferences. Registry manages file associations, protocol - handlers, installation data, and integration settings for comprehensive code - editing and development activity analysis in modern programming environments. + Visual Studio Code development environment configuration including workspace settings, + installed extensions, recent projects, and debugging configurations. Registry manages + file associations, protocol handlers, and installation data. forensic_value: | - Essential for investigating software development activities, code editing patterns, - project access, and programming-related evidence. Shows evidence of code development, - extension usage, workspace access, and can reveal unauthorized code modifications, - software project involvement, development tool usage, and programming activities - relevant to intellectual property investigations and insider threat analysis. + Essential for investigating software development activities, code editing patterns, and + project access. Shows evidence of code development, extension usage, workspace access, + and can reveal unauthorized code modifications, software project involvement, and programming activities. structure: | - VS Code configuration includes installation directories, file associations, - protocol handlers, and workspace preferences. Extension data tracks installed - development tools, language support, and productivity enhancements for - comprehensive development environment analysis and programming activity tracking. + VS Code configuration includes installation directories, file associations, protocol handlers, + and workspace preferences. Extension data tracks installed development tools and language support. examples: - "InstallLocation: C:\\Users\\user\\AppData\\Local\\Programs\\Microsoft VS Code" @@ -37,7 +30,7 @@ details: - "RecentWorkspace: C:\\Development\\ProjectName" - "RecentWorkspace: \\\\server\\shared\\source-code" - "Extension: ms-python.python (Python development support)" - + tools: - name: "Visual Studio Code" description: "Microsoft's popular source code editor" @@ -49,6 +42,27 @@ details: - name: "VS Code Settings Sync" description: "Microsoft's settings synchronization for VS Code" +limitations: + - "VS Code registry entries do NOT prove active code development or editing" + - "Installation presence doesn't indicate actual programming work was performed" + - "File associations may be set without opening or editing code files" + - "Recent workspace entries don't prove code was modified or created" + - "Extension installation doesn't indicate extension was actively used" + - "Protocol handler registration enables VS Code integration but doesn't show usage" + - "Workspace settings may be configured without actual development activity" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing Code.exe launches" + - "File system artifacts showing code files accessed or modified" + - "Recent documents showing programming files opened in VS Code" + - "VS Code workspace and settings files showing actual configuration" + + strengthens_evidence: + - "Git artifacts showing code commits and version control activity" + - "File modification timestamps correlating with VS Code execution" + - "Network logs showing extension downloads or updates" + metadata: windows_versions: - "Windows 7" @@ -58,13 +72,13 @@ metadata: - "Windows 11" introduced: "Visual Studio Code (2015)" - criticality: "medium" investigation_types: - - "malware-analysis" - "behavioral-analysis" - - "incident-response" + - "insider-threat" + - "data-exfiltration" + - "program-execution" tags: - "vscode" @@ -97,5 +111,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/wsh_settings.yml b/artifacts/program-execution/windows_script_host_settings.yml similarity index 63% rename from artifacts/execution/wsh_settings.yml rename to artifacts/program-execution/windows_script_host_settings.yml index 457ed2e..49ee18d 100644 --- a/artifacts/execution/wsh_settings.yml +++ b/artifacts/program-execution/windows_script_host_settings.yml @@ -1,5 +1,5 @@ title: "Windows Script Host Settings and Configuration" -category: "execution" +category: "program-execution" description: "Windows Script Host execution policies, script engine settings, and VBScript/JScript security configuration" paths: @@ -10,24 +10,20 @@ paths: details: what: | - Windows Script Host (WSH) provides native scripting capabilities for VBScript and JScript execution - with comprehensive security and execution policy configuration. Controls script execution permissions, - timeout settings, security zones, debugging capabilities, and engine-specific behaviors. Manages - both system-wide and user-specific script execution policies for enterprise security and - administrative automation while preventing unauthorized script-based attacks. + Windows Script Host (WSH) provides native scripting capabilities for VBScript and JScript execution + with security and execution policy configuration. Controls script execution permissions, timeout settings, + security zones, debugging capabilities, and engine-specific behaviors for both system-wide and user-specific contexts. forensic_value: | - Critical for detecting script-based malware attacks, policy bypass attempts, and unauthorized - script execution. Shows if WSH was disabled to prevent malicious script execution or enabled - to facilitate attacks. Configuration changes may indicate attempts to execute malicious VBScript - or JScript files, bypass security restrictions, or establish script-based persistence mechanisms. - Essential for analyzing script-based attacks, macro malware, and fileless attack vectors. + Critical for detecting script-based malware attacks, policy bypass attempts, and unauthorized script execution. + Shows if WSH was disabled to prevent malicious script execution or enabled to facilitate attacks. + Configuration changes may indicate attempts to execute malicious VBScript or JScript files, bypass security + restrictions, or establish script-based persistence mechanisms. structure: | - WSH configuration includes Enabled (global WSH enablement), Timeout (script execution timeout), - DisplayLogo (banner display), TrustPolicy (script trust level), and UseWINSAFER (Windows SAFER - integration). Settings control script engine behavior, security restrictions, execution timeouts, - and debugging capabilities stored as REG_DWORD values with policy inheritance mechanisms. + WSH configuration includes Enabled (global WSH enablement), Timeout (script execution timeout), + DisplayLogo (banner display), TrustPolicy (script trust level), and UseWINSAFER (Windows SAFER integration). + Settings control script engine behavior, security restrictions, and debugging capabilities stored as REG_DWORD values. examples: - "Enabled: 0 (Windows Script Host completely disabled)" @@ -52,6 +48,29 @@ details: - name: "Windows Script Host Analysis Tools" description: "Specialized utilities for WSH configuration assessment" +limitations: + - "WSH disable settings do NOT prevent script execution - can be bypassed with cscript.exe //B parameter" + - "Scripts can be executed directly through script engines bypassing WSH settings" + - "Third-party script interpreters ignore WSH configuration settings" + - "PowerShell and other scripting engines operate independently of WSH policies" + - "Malicious scripts may modify WSH settings to enable execution" + - "Administrative privileges can override user-level WSH restrictions" + - "WSH settings may be reset by Windows updates or system restoration" + - "Remote script execution settings may not apply to all script delivery methods" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing cscript.exe or wscript.exe launches with script parameters" + - "Script file system artifacts showing VBScript or JScript files accessed or executed" + - "Application event logs showing script engine activity and execution results" + - "Command-line history showing script execution commands" + + strengthens_evidence: + - "File modifications created by script execution" + - "Network connections initiated by script processes" + - "Registry modifications made by executed scripts" + - "Scheduled tasks containing script-based automation" + metadata: windows_versions: - "Windows 98" @@ -72,7 +91,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 98" - criticality: "high" investigation_types: @@ -80,6 +98,7 @@ metadata: - "incident-response" - "behavioral-analysis" - "persistence-analysis" + - "program-execution" tags: - "script-execution" @@ -124,5 +143,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/windows_terminal.yml b/artifacts/program-execution/windows_terminal.yml similarity index 56% rename from artifacts/execution/windows_terminal.yml rename to artifacts/program-execution/windows_terminal.yml index 6700b5f..b16dac4 100644 --- a/artifacts/execution/windows_terminal.yml +++ b/artifacts/program-execution/windows_terminal.yml @@ -1,5 +1,5 @@ title: "Windows Terminal Configuration" -category: "execution" +category: "program-execution" description: "Windows Terminal settings, profiles, and modern command-line interface configuration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows Terminal manages modern command-line interface including shell profiles, - appearance settings, key bindings, and terminal emulation preferences. Registry - stores configuration profiles, color schemes, font preferences, and integration - settings for comprehensive command-line activity analysis and system - administration behavior tracking in modern Windows environments. + Windows Terminal modern command-line interface configuration including shell profiles, + appearance settings, key bindings, and terminal emulation preferences. Registry stores + configuration profiles, color schemes, and integration settings. forensic_value: | - Important for investigating command-line activities, system administration tasks, - scripting behavior, and advanced user interactions. Shows evidence of terminal - usage patterns, shell preferences, custom configurations, and can reveal - system administration activities, scripting development, and command-line based - attack techniques or administrative access patterns. + Important for investigating command-line activities, system administration tasks, and + advanced user interactions. Shows evidence of terminal usage patterns, shell preferences, + and can reveal system administration activities, scripting development, or command-line based attacks. structure: | - Windows Terminal configuration includes profile definitions, appearance settings, - key binding mappings, and startup preferences. Shell integration data tracks - context menu additions, protocol handlers, and command-line interface - customizations for comprehensive terminal usage analysis and administrative activity tracking. + Windows Terminal configuration includes profile definitions, appearance settings, key binding + mappings, and startup preferences. Shell integration data tracks context menu additions + and command-line interface customizations. examples: - "DefaultProfile: {PowerShell GUID}" @@ -47,6 +42,27 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "Windows Terminal configuration does NOT prove command-line programs were executed" + - "Profile definitions don't indicate shells or commands were actually run" + - "Context menu integration doesn't show terminal was launched from context menu" + - "Color scheme and appearance settings don't indicate active terminal usage" + - "Startup actions configuration doesn't prove terminal was started" + - "WSL profile existence doesn't prove Linux subsystem was used" + - "PowerShell profile settings don't indicate PowerShell scripts were executed" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing WindowsTerminal.exe or wt.exe launches" + - "Command-line history files showing executed commands" + - "PowerShell or WSL execution logs showing shell activity" + - "File system artifacts showing command-line tools were run" + + strengthens_evidence: + - "Recent documents showing files accessed via command-line tools" + - "Network connections initiated by command-line programs" + - "File modifications correlating with terminal session times" + metadata: windows_versions: - "Windows 10" @@ -57,9 +73,10 @@ metadata: criticality: "medium" investigation_types: - - "malware-analysis" - "behavioral-analysis" - "incident-response" + - "lateral-movement" + - "program-execution" tags: - "windows-terminal" @@ -92,5 +109,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/anydesk.yml b/artifacts/remote-access/anydesk.yml similarity index 56% rename from artifacts/network/anydesk.yml rename to artifacts/remote-access/anydesk.yml index e3160b7..e8c8e93 100644 --- a/artifacts/network/anydesk.yml +++ b/artifacts/remote-access/anydesk.yml @@ -1,5 +1,5 @@ title: "AnyDesk Remote Desktop Configuration" -category: "network" +category: "remote-access" description: "AnyDesk remote access settings, connection management, and security configuration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - AnyDesk manages lightweight remote desktop access including connection settings, - security configurations, address book management, and session preferences. - Registry stores installation data, access permissions, connection history, - and authentication settings for comprehensive remote access analysis and - system administration behavior tracking in modern remote work environments. + AnyDesk remote desktop configuration including connection settings, security configurations, + address book management, and session preferences. Registry stores installation data, + access permissions, and authentication settings. forensic_value: | - Important for investigating remote access activities, potential unauthorized - system control, technical support sessions, and remote collaboration evidence. - Shows evidence of remote desktop usage, connection patterns, security settings, - and can indicate legitimate remote work, unauthorized access attempts, technical - support activities, or potential command and control communications. + Important for investigating remote access activities, potential unauthorized system control, + and technical support sessions. Shows evidence of remote desktop usage, connection patterns, + and can indicate legitimate remote work, unauthorized access attempts, or potential command and control communications. structure: | - AnyDesk configuration includes connection preferences, security settings, - address book entries, access permissions, and session management options. - Connection data tracks remote session history, partner devices, and access - control configurations for comprehensive remote access behavior analysis. + AnyDesk configuration includes connection preferences, security settings, address book entries, + access permissions, and session management options. Connection data tracks partner devices + and access control configurations. examples: - "InstallPath: C:\\Program Files (x86)\\AnyDesk" @@ -48,6 +43,27 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "AnyDesk configuration does NOT prove remote sessions actually occurred" + - "Address book entries don't indicate successful connections were made" + - "Unattended access settings don't prove remote control was used" + - "File transfer capabilities don't show what files were transferred" + - "Password configuration doesn't indicate authentication success" + - "Installation presence doesn't prove active remote desktop usage" + - "Security settings may be configured without actual remote sessions" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing AnyDesk.exe launches and remote session processes" + - "Network logs showing AnyDesk protocol connections to remote systems" + - "AnyDesk connection logs showing actual remote session establishment" + - "File system artifacts showing files accessed during remote sessions" + + strengthens_evidence: + - "Event logs showing user logon/logoff during remote sessions" + - "Recent documents accessed during suspected remote control timeframes" + - "Clipboard artifacts showing data transfer between systems" + metadata: windows_versions: - "Windows 7" @@ -57,13 +73,14 @@ metadata: - "Windows 11" introduced: "AnyDesk" - criticality: "high" investigation_types: - "incident-response" - "behavioral-analysis" - "insider-threat" + - "remote-access" + - "lateral-movement" tags: - "anydesk" @@ -96,5 +113,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/remote_assistance.yml b/artifacts/remote-access/remote_assistance_and_rdp.yml similarity index 60% rename from artifacts/network/remote_assistance.yml rename to artifacts/remote-access/remote_assistance_and_rdp.yml index 312cbd3..e9b0494 100644 --- a/artifacts/network/remote_assistance.yml +++ b/artifacts/remote-access/remote_assistance_and_rdp.yml @@ -1,6 +1,6 @@ title: "Remote Assistance and Remote Desktop Settings" -category: "network" -description: "RDP configuration, remote assistance settings, terminal services, and remote access security" +category: "remote-access" +description: "RDP configuration, remote assistance settings, and remote access security controls" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" @@ -10,24 +10,21 @@ paths: details: what: | - Remote Desktop Protocol (RDP) and Remote Assistance configuration encompasses service enablement, - port settings, authentication requirements, encryption levels, connection permissions, session - management, and security policies for remote system access. Controls terminal services behavior, - remote assistance capabilities, Network Level Authentication, and multi-session management - for comprehensive remote access functionality. + Remote Desktop Protocol (RDP) and Remote Assistance configuration including service enablement, + port settings, authentication requirements, encryption levels, and session management. + Controls terminal services behavior and remote assistance capabilities. forensic_value: | - Critical for investigating unauthorized remote access, lateral movement techniques, and - persistent backdoor installations. Shows if remote access was enabled for malicious connections, - reveals RDP configuration changes facilitating attacker persistence, and indicates remote - assistance sessions that could be used for data theft or system reconnaissance. Essential - for detecting advanced persistent threats using legitimate remote access tools for stealth. + Critical for investigating unauthorized remote access and lateral movement techniques. + Shows if remote access was enabled for malicious connections and reveals configuration + changes that facilitate attacker persistence. Essential for detecting advanced persistent + threats using legitimate remote access tools. structure: | - Terminal Server settings include fDenyTSConnections (RDP enable/disable), PortNumber (listening port), - SecurityLayer (authentication method), UserAuthentication (Network Level Authentication requirement), - and MaxInstanceCount (concurrent sessions). Remote Assistance contains AllowToGetHelp (service - enablement), MaxTicketExpiry (session timeout), and CreateEncryptedOnlyTickets (security requirements). + Terminal Server settings include fDenyTSConnections (RDP enable/disable), PortNumber + (listening port), SecurityLayer (authentication method), UserAuthentication (Network + Level Authentication), and MaxInstanceCount (concurrent sessions). Remote Assistance + contains AllowToGetHelp and MaxTicketExpiry settings. examples: - "fDenyTSConnections: 0 (Remote Desktop enabled - potential security risk)" @@ -38,7 +35,7 @@ details: - "AllowToGetHelp: 1 (Remote Assistance enabled)" - "MaxTicketExpiry: 6 (6-hour session timeout)" - "CreateEncryptedOnlyTickets: 1 (Require encryption for assistance)" - + tools: - name: "Remote Desktop Configuration" description: "Windows built-in RDP settings and configuration interface" @@ -52,6 +49,28 @@ details: - name: "RDP Security Scanner" description: "Third-party tools for assessing RDP security configuration" +limitations: + - "Configuration settings do NOT prove remote access actually occurred" + - "Enabled RDP doesn't indicate successful connections or authentication" + - "Port settings don't reveal actual network traffic or connection attempts" + - "Remote assistance enablement doesn't prove assistance sessions were established" + - "Settings can be changed by malware without user knowledge" + - "Configuration doesn't indicate who accessed the system or when" + - "Security settings may be overridden by group policy or local bypass" + +correlation: + required_for_definitive_usage_proof: + - "Windows Event Logs showing RDP logon events (Event ID 4624, 4625)" + - "Network connection logs showing actual RDP traffic on configured ports" + - "Terminal Services event logs showing session establishment and termination" + - "Authentication logs confirming successful remote logon attempts" + + strengthens_evidence: + - "Network firewall logs showing RDP port access attempts" + - "Process execution logs showing Terminal Services process activity" + - "File system artifacts showing user activity during remote sessions" + - "Registry keys modified during remote sessions" + metadata: windows_versions: - "Windows XP" @@ -69,12 +88,11 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: - - "behavioral-analysis" - "lateral-movement" + - "remote-access" - "incident-response" - "persistence-analysis" - "privilege-escalation" @@ -114,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/teamviewer.yml b/artifacts/remote-access/teamviewer.yml similarity index 54% rename from artifacts/network/teamviewer.yml rename to artifacts/remote-access/teamviewer.yml index b81b2af..17d2789 100644 --- a/artifacts/network/teamviewer.yml +++ b/artifacts/remote-access/teamviewer.yml @@ -1,5 +1,5 @@ title: "TeamViewer Remote Access Configuration" -category: "network" +category: "remote-access" description: "TeamViewer remote desktop settings, connection history, and access control preferences" paths: @@ -10,24 +10,20 @@ paths: details: what: | - TeamViewer manages remote desktop access including connection preferences, - security settings, account integration, and access control policies. Registry - stores configuration data, connection history, authentication methods, and - collaboration settings for comprehensive remote access analysis and system - administration behavior tracking in support and business environments. + TeamViewer configuration including connection preferences, security settings, account + integration, and access control policies. Stores configuration data, connection history, + authentication methods, and collaboration settings for remote access analysis. forensic_value: | - Critical for investigating remote access activities, unauthorized system access, - insider threats through remote connections, and evidence of external control. - Shows evidence of remote desktop usage, connection patterns, access permissions, - and can indicate unauthorized remote access, insider collaboration, external - technical support, or potential command and control activities. + Critical for investigating remote access activities and unauthorized system access. + Shows evidence of remote desktop usage, connection patterns, and access permissions. + Can indicate unauthorized remote access, insider collaboration, external technical + support, or potential command and control activities. structure: | - TeamViewer configuration includes account credentials, connection settings, - security policies, access permissions, and collaboration preferences. Connection - data tracks remote session history, partner information, and access control - settings for comprehensive remote access behavior analysis and security assessment. + TeamViewer configuration includes account credentials, connection settings, security + policies, and access permissions. Connection data tracks remote session history, + partner information, and access control settings stored in registry values. examples: - "InstallPath: C:\\Program Files\\TeamViewer" @@ -48,6 +44,28 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "Configuration settings do NOT prove TeamViewer sessions actually occurred" + - "Connection history may not show complete session details or duration" + - "Account settings don't indicate actual remote access usage" + - "File transfer enablement doesn't prove files were transferred" + - "Unattended access settings don't show when remote access happened" + - "TeamViewer ID presence doesn't prove remote connections were established" + - "Security settings can be bypassed or modified by remote operators" + +correlation: + required_for_definitive_usage_proof: + - "TeamViewer connection logs showing actual session establishment and duration" + - "Windows Event Logs showing TeamViewer process execution and network activity" + - "Network traffic analysis showing TeamViewer protocol communications" + - "TeamViewer session recordings or audit logs from TeamViewer servers" + + strengthens_evidence: + - "Process execution logs showing TeamViewer service and client activity" + - "File system artifacts showing TeamViewer temporary files and logs" + - "Registry keys modified during TeamViewer sessions" + - "Network connection logs correlating with TeamViewer activity" + metadata: windows_versions: - "Windows XP" @@ -59,10 +77,10 @@ metadata: - "Windows 11" introduced: "TeamViewer" - criticality: "high" investigation_types: + - "remote-access" - "incident-response" - "behavioral-analysis" - "insider-threat" @@ -98,5 +116,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/terminal_services.yml b/artifacts/remote-access/terminal_services.yml similarity index 66% rename from artifacts/network/terminal_services.yml rename to artifacts/remote-access/terminal_services.yml index c59c081..150a7d7 100644 --- a/artifacts/network/terminal_services.yml +++ b/artifacts/remote-access/terminal_services.yml @@ -1,5 +1,5 @@ title: "Terminal Services and Remote Desktop Configuration" -category: "network" +category: "remote-access" description: "Terminal Services session management, RDP settings, and remote execution configuration" paths: @@ -10,24 +10,20 @@ paths: details: what: | - Terminal Services configuration for remote desktop sessions, console sessions, - and multi-user environments. Controls session behavior, timeouts, security - settings, application execution in terminal sessions, RDP connection parameters, - and remote access policies. Manages both incoming remote connections and - outgoing Terminal Services client configurations. + Terminal Services configuration for remote desktop sessions, console sessions, and multi-user + environments. Controls session behavior, timeouts, security settings, and application execution + in terminal sessions. Manages both incoming remote connections and outgoing client configurations. forensic_value: | - Shows remote session configuration that could facilitate unauthorized access, - reveals session policies that might hide user activity, indicates terminal - services usage for remote command execution, persistence, or lateral movement. - Critical for identifying unauthorized remote access, RDP-based attacks, and - evidence of remote administration activities that could indicate compromise. + Shows remote session configuration that could facilitate unauthorized access, reveals session + policies that might hide user activity, and indicates terminal services usage for remote + command execution or lateral movement. Critical for identifying unauthorized remote access + and RDP-based attacks. structure: | - WinStations configuration includes session settings, security descriptors, - connection parameters, and RDP-specific settings. Install settings control - application compatibility in multi-user environments. Client settings track - connection preferences, recently connected servers, and authentication methods. + WinStations configuration includes session settings, security descriptors, and connection + parameters. Install settings control application compatibility in multi-user environments. + Client settings track connection preferences and recently connected servers. examples: - "RDP-Tcp\\PortNumber: 3389 (default RDP port)" @@ -55,9 +51,31 @@ details: - name: "TSAdmin" description: "Terminal Services administration and monitoring tools" +limitations: + - "Terminal Services configuration does NOT prove remote sessions occurred" + - "Session settings don't indicate actual user activity or authentication" + - "RDP port configuration doesn't show successful connections" + - "Client settings don't prove connections were established" + - "Timeout settings don't indicate actual session duration" + - "Application compatibility settings don't show software was used" + - "Security settings can be bypassed or modified" + +correlation: + required_for_definitive_session_proof: + - "Windows Event Logs showing Terminal Services logon events (Event ID 4624)" + - "Terminal Services event logs showing session establishment and activity" + - "Network connection logs showing RDP traffic on configured ports" + - "Process execution logs showing Terminal Services process activity" + + strengthens_evidence: + - "File system artifacts showing user activity during remote sessions" + - "Registry keys modified during terminal sessions" + - "Application logs showing software usage in terminal sessions" + - "Authentication logs confirming remote user logons" + metadata: windows_versions: - - "Windows NT 4.0 Terminal Server Edition" + - "Windows NT 4.0" - "Windows XP" - "Windows Vista" - "Windows 7" @@ -73,11 +91,11 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 4.0 Terminal Server Edition" - criticality: "medium" investigation_types: - "lateral-movement" + - "remote-access" - "incident-response" - "behavioral-analysis" - "privilege-escalation" @@ -126,5 +144,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/network/vpn_connections.yml b/artifacts/remote-access/vpn_connections.yml similarity index 61% rename from artifacts/network/vpn_connections.yml rename to artifacts/remote-access/vpn_connections.yml index 8535958..8836951 100644 --- a/artifacts/network/vpn_connections.yml +++ b/artifacts/remote-access/vpn_connections.yml @@ -1,6 +1,6 @@ title: "VPN and Remote Access Connections" -category: "network" -description: "VPN connection profiles, remote access settings, dial-up configurations, and encrypted tunnel history" +category: "remote-access" +description: "VPN connection profiles, remote access settings, and encrypted tunnel history" paths: - "HKCU\\Software\\Microsoft\\RAS Phonebook" @@ -10,24 +10,20 @@ paths: details: what: | - Windows stores comprehensive VPN connection profiles, dial-up settings, remote - access service configurations, and connection history. Includes server addresses, - authentication methods, encryption protocols, connection parameters for various - VPN protocols (PPTP, L2TP/IPSec, SSTP, IKEv2), and Point-to-Point Protocol - configuration for both corporate and personal VPN usage. + Windows VPN connection profiles, dial-up settings, and remote access service configurations. + Includes server addresses, authentication methods, encryption protocols, and connection + parameters for various VPN protocols (PPTP, L2TP/IPSec, SSTP, IKEv2). forensic_value: | - Shows remote network access attempts, VPN usage for potential data exfiltration, - unauthorized remote access to corporate networks, and can reveal connections to - suspicious networks, command and control infrastructure, or anonymization services. - Critical for identifying covert communication channels, unauthorized network access, - and potential insider threat activities involving external network connections. + Shows remote network access attempts and VPN usage for potential data exfiltration. + Can reveal connections to suspicious networks, command and control infrastructure, or + anonymization services. Critical for identifying covert communication channels and + unauthorized network access attempts. structure: | Connection profiles with server addresses, authentication settings, VPN protocols, - encryption configurations, auto-connect preferences, and credential storage options. - Phonebook entries contain detailed connection parameters, server endpoints, - authentication types, and protocol-specific settings stored in binary format. + encryption configurations, and credential storage options. Phonebook entries contain + detailed connection parameters and protocol-specific settings stored in binary format. examples: - "Connection: Corporate VPN" @@ -54,6 +50,28 @@ details: - name: "RasPhone" description: "Windows Remote Access phonebook editor and connection utility" +limitations: + - "VPN configuration profiles do NOT prove connections were established" + - "Connection settings don't indicate successful authentication or data transmission" + - "Server addresses don't prove network traffic actually used the VPN" + - "Credential storage doesn't indicate VPN was used for data transfer" + - "Auto-connect settings don't show when connections occurred" + - "Protocol settings don't reveal what data was transmitted through VPN" + - "Connection profiles may exist without any actual VPN usage" + +correlation: + required_for_definitive_usage_proof: + - "VPN server connection logs showing successful client authentication" + - "Network traffic analysis showing VPN protocol communications" + - "Windows Event Logs showing VPN connection establishment (Event ID 20250)" + - "RAS event logs showing successful tunnel establishment and data transmission" + + strengthens_evidence: + - "Process execution logs showing VPN client software activity" + - "Network interface statistics showing VPN adapter traffic" + - "DNS resolution logs showing VPN server name resolution" + - "Authentication logs showing VPN credential usage" + metadata: windows_versions: - "Windows 95" @@ -76,11 +94,11 @@ metadata: - "Windows Server 2022" introduced: "Windows 95 (Dial-Up Networking)" - criticality: "medium" investigation_types: - "data-exfiltration" + - "remote-access" - "lateral-movement" - "insider-threat" - "behavioral-analysis" @@ -130,5 +148,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/security/bitlocker_config.yml b/artifacts/security-monitoring/bitlocker_config.yml similarity index 64% rename from artifacts/security/bitlocker_config.yml rename to artifacts/security-monitoring/bitlocker_config.yml index d4c1073..9de0e12 100644 --- a/artifacts/security/bitlocker_config.yml +++ b/artifacts/security-monitoring/bitlocker_config.yml @@ -1,5 +1,5 @@ title: "BitLocker Drive Encryption Settings" -category: "security" +category: "security-monitoring" description: "BitLocker encryption configuration, drive protection status, recovery policies, and TPM integration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - BitLocker Full Volume Encryption manages drive-level encryption configuration including - encryption algorithms, authentication methods, TPM (Trusted Platform Module) integration, - recovery key policies, and administrative settings. Controls system drive encryption, - removable media protection, network unlock capabilities, and enterprise key management - for comprehensive data protection and compliance requirements. + BitLocker Full Volume Encryption manages drive-level encryption configuration including encryption + algorithms, authentication methods, TPM integration, recovery key policies, and administrative + settings. Controls system drive encryption, removable media protection, and enterprise key management. forensic_value: | - Critical for understanding data protection mechanisms that may prevent forensic access, - reveals encryption bypass attempts, shows evidence of encryption policy violations, and - indicates security-conscious behavior or attempts to hide data through encryption. - Configuration changes may reveal insider threats attempting to protect stolen data or - attackers trying to disable encryption for persistent access. + Critical for understanding data protection mechanisms that may prevent forensic access. Shows + encryption bypass attempts, policy violations, and security-conscious behavior. Configuration + changes may reveal insider threats protecting stolen data or attackers disabling encryption. structure: | - BitLocker configuration includes encryption method settings (AES-128/256), authentication - requirements (TPM, PIN, USB key), recovery options, startup authentication policies, - and enterprise management settings. Service configuration controls BitLocker Drive - Encryption Service behavior, automatic encryption, and policy enforcement mechanisms. + BitLocker configuration includes encryption method settings (AES-128/256), authentication + requirements (TPM, PIN, USB key), recovery options, startup authentication policies, and enterprise + management settings. Service configuration controls behavior and policy enforcement. examples: - "EncryptionMethod: 3 (AES 128-bit with Diffuser)" @@ -52,6 +47,28 @@ details: - name: "TPM Management Console" description: "Trusted Platform Module configuration and monitoring" +limitations: + - "BitLocker configuration does NOT prove drives are currently encrypted" + - "Policy settings don't indicate successful encryption deployment" + - "Recovery key configuration doesn't prove key backup occurred" + - "TPM settings may be configured but TPM hardware could be disabled" + - "Encryption method settings don't prove data protection is active" + - "Service configuration doesn't indicate BitLocker operational status" + +correlation: + required_for_definitive_encryption_proof: + - "File system artifacts showing encrypted drive headers" + - "Event logs (Event ID 24577-24585) showing BitLocker operations" + - "TPM event logs confirming hardware-based key operations" + - "manage-bde status output showing actual encryption status" + - "Recovery key files or Active Directory BitLocker recovery information" + + strengthens_evidence: + - "Group Policy settings showing enterprise BitLocker deployment" + - "Event logs showing successful TPM operations during encryption" + - "File system analysis showing encrypted volume structure" + - "Registry changes showing BitLocker service activation" + metadata: windows_versions: - "Windows Vista" @@ -67,12 +84,13 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: - "incident-response" - "insider-threat" + - "data-exfiltration" + - "anti-forensics" tags: - "security" @@ -113,5 +131,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/camera_microphone_access_control.yml b/artifacts/security-monitoring/camera_microphone_access_control.yml similarity index 59% rename from artifacts/security/camera_microphone_access_control.yml rename to artifacts/security-monitoring/camera_microphone_access_control.yml index cd4fbc5..0a5c674 100644 --- a/artifacts/security/camera_microphone_access_control.yml +++ b/artifacts/security-monitoring/camera_microphone_access_control.yml @@ -1,5 +1,5 @@ title: "Camera and Microphone Access Control" -category: "security" +category: "security-monitoring" description: "Privacy consent settings for camera and microphone access by applications and system components" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows manages application permissions for camera and microphone access through the - Capability Access Manager. Registry stores consent decisions, application-specific - permissions, system-wide privacy settings, and usage tracking for audio/video - recording capabilities. Controls which applications can access sensitive hardware - devices and maintains audit trails of permission grants and denials. + Windows manages application permissions for camera and microphone access through the Capability + Access Manager. Registry stores consent decisions, application-specific permissions, system-wide + privacy settings, and usage tracking for audio/video recording capabilities. forensic_value: | - Critical for investigating privacy violations, unauthorized surveillance, and potential - malware with recording capabilities. Shows evidence of applications attempting to - access camera/microphone, reveals privacy setting modifications that could indicate - malicious activity, and provides timeline of when sensitive permissions were granted - or denied. Essential for detecting spyware, unauthorized recording, and privacy breaches. + Critical for investigating privacy violations, unauthorized surveillance, and potential malware + with recording capabilities. Shows applications attempting camera/microphone access, privacy + setting modifications, and provides timeline of when sensitive permissions were granted or denied. structure: | - ConsentStore entries include Value (Allow/Deny), LastUsedTimeStart/LastUsedTimeStop - timestamps as FILETIME, and application-specific permission entries with package - family names for UWP apps and executable paths for desktop applications. Global - settings control system-wide camera/microphone access policies. + ConsentStore entries include Value (Allow/Deny), LastUsedTimeStart/LastUsedTimeStop timestamps + as FILETIME, and application-specific permission entries with package family names for UWP apps + and executable paths for desktop applications. examples: - "microphone\\Value: Allow (System-wide microphone access enabled)" @@ -49,18 +44,41 @@ details: url: "https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" description: "Monitor real-time camera/microphone access attempts" +limitations: + - "Permission grants do NOT prove actual camera or microphone usage occurred" + - "Access consent doesn't indicate what was recorded or captured" + - "Usage timestamps may reflect permission checks, not actual recording" + - "Application permissions don't prove unauthorized surveillance happened" + - "System-wide settings may be overridden by specific application permissions" + - "Permission modifications could be from legitimate privacy adjustments" + +correlation: + required_for_definitive_surveillance_proof: + - "Audio/video files created during permission usage timeframes" + - "Application logs showing successful camera/microphone operations" + - "Process execution logs for applications with permissions during usage times" + - "Network traffic logs if recorded content was transmitted" + - "File system artifacts showing media files created by permitted applications" + + strengthens_evidence: + - "Event logs showing application launches during permission usage windows" + - "Registry changes in application-specific settings during permission grants" + - "File modifications in application data folders during usage periods" + - "Network connections by applications with recording permissions" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Windows 10" - - criticality: "high" + criticality: "medium" investigation_types: - "malware-analysis" - "incident-response" + - "data-exfiltration" + - "behavioral-analysis" tags: - "privacy" @@ -97,5 +115,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/certificate_stores.yml b/artifacts/security-monitoring/certificate_stores.yml similarity index 65% rename from artifacts/system/certificate_stores.yml rename to artifacts/security-monitoring/certificate_stores.yml index 89fb1c3..ed10e1c 100644 --- a/artifacts/system/certificate_stores.yml +++ b/artifacts/security-monitoring/certificate_stores.yml @@ -1,5 +1,5 @@ title: "Certificate Stores and Cryptographic Configuration" -category: "system" +category: "security-monitoring" description: "PKI certificate stores, trusted root authorities, cryptographic settings, and SSL/TLS trust relationships" paths: @@ -10,23 +10,21 @@ paths: details: what: | - Windows certificate stores manage Public Key Infrastructure (PKI) components including trusted - root certificate authorities, intermediate certificates, personal certificates, revoked certificates, - and cryptographic service provider configurations. Controls SSL/TLS trust relationships, code - signing verification, email encryption, and overall system cryptographic security posture. + Windows certificate stores manage Public Key Infrastructure (PKI) components including trusted + root certificate authorities, intermediate certificates, personal certificates, revoked certificates, + and cryptographic service provider configurations. Controls SSL/TLS trust relationships and + code signing verification. forensic_value: | - Critical for detecting man-in-the-middle attacks through unauthorized certificate installation, - identifying certificate-based persistence mechanisms, analyzing SSL/TLS interception attempts, - and investigating cryptographic configuration changes that weaken security. Reveals malicious - certificate authorities installed by attackers, shows evidence of corporate monitoring software, - and indicates advanced persistent threat techniques using certificate manipulation. + Critical for detecting man-in-the-middle attacks through unauthorized certificate installation, + identifying certificate-based persistence mechanisms, and analyzing SSL/TLS interception attempts. + Reveals malicious certificate authorities installed by attackers and indicates advanced persistent + threat techniques using certificate manipulation. structure: | - Certificate stores organized by purpose including ROOT (trusted authorities), CA (intermediate), - MY (personal), TrustedPeople (trusted users), and Disallowed (revoked). Each certificate stored - with binary data including public key, issuer information, validity dates, thumbprint hash, - and usage restrictions. Cryptography settings control providers, algorithms, and security policies. + Certificate stores organized by purpose including ROOT (trusted authorities), CA (intermediate), + MY (personal), TrustedPeople (trusted users), and Disallowed (revoked). Each certificate stored + with binary data including public key, issuer information, validity dates, and thumbprint hash. examples: - "ROOT\\Certificates\\{SHA1-Thumbprint}: VeriSign Class 3 Public Primary CA" @@ -52,6 +50,28 @@ details: - name: "SSL Certificate Checker" description: "Tools for validating certificate chains and trust" +limitations: + - "Certificate installation does NOT prove man-in-the-middle attacks occurred" + - "Trusted certificate presence doesn't indicate actual SSL/TLS interception happened" + - "Certificate authority modifications may be legitimate enterprise security requirements" + - "Cryptographic configuration changes don't prove security compromise" + - "Root certificate additions may be for legitimate corporate monitoring or security tools" + - "Certificate revocation doesn't indicate malicious activity was detected" + +correlation: + required_for_definitive_attack_proof: + - "Network traffic logs showing SSL/TLS connections using suspicious certificates" + - "Application logs showing certificate validation failures or warnings" + - "Browser logs showing certificate override events or security warnings" + - "File system artifacts showing certificate installation during attack timeframes" + - "Event logs showing certificate service operations and validation events" + + strengthens_evidence: + - "Network logs showing encrypted traffic patterns consistent with certificate interception" + - "Registry changes showing certificate installation correlating with attack periods" + - "File modifications in certificate directories during suspicious activity" + - "Event logs showing certificate errors or trust failures during communication" + metadata: windows_versions: - "Windows 2000" @@ -71,7 +91,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 2000" - criticality: "high" investigation_types: @@ -116,5 +135,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/device_permissions.yml b/artifacts/security-monitoring/device_permissions.yml similarity index 62% rename from artifacts/security/device_permissions.yml rename to artifacts/security-monitoring/device_permissions.yml index 705ec66..b94726a 100644 --- a/artifacts/security/device_permissions.yml +++ b/artifacts/security-monitoring/device_permissions.yml @@ -1,5 +1,5 @@ title: "Device Permissions and Privacy Settings" -category: "security" +category: "security-monitoring" description: "App permissions for camera, microphone, location, contacts, and other device capabilities with privacy controls" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows capability access manager controls application permissions for sensitive device - resources including camera, microphone, location services, contacts, calendar, messaging, - and other privacy-sensitive capabilities. Manages both global permission settings and - per-application granular access controls for comprehensive privacy protection and - security enforcement across Modern Windows applications. + Windows capability access manager controls application permissions for sensitive device resources + including camera, microphone, location services, contacts, calendar, messaging, and other + privacy-sensitive capabilities. Manages global and per-application granular access controls. forensic_value: | - Critical for investigating privacy violations, unauthorized surveillance, data exfiltration - through device sensors, and malicious application behavior. Shows which applications - have access to sensitive resources like cameras and microphones, reveals potential - surveillance capabilities, and indicates privacy-conscious user behavior or attempts - to hide malicious access to device capabilities through permission manipulation. + Critical for investigating privacy violations, unauthorized surveillance, and data exfiltration + through device sensors. Shows applications with access to sensitive resources, reveals potential + surveillance capabilities, and indicates privacy setting modifications. structure: | - ConsentStore organizes permissions by capability type (camera, microphone, location, etc.) - with global and per-application settings. DeviceAccess controls system-wide capability - enablement, Privacy settings manage user-level privacy preferences, and AppPrivacy - policies enforce enterprise privacy controls and application access restrictions. + ConsentStore organizes permissions by capability type with global and per-application settings. + DeviceAccess controls system-wide capability enablement, Privacy settings manage user-level + preferences, and AppPrivacy policies enforce enterprise privacy controls. examples: - "ConsentStore\\\\webcam\\\\Value: Allow (Global camera access enabled)" @@ -52,19 +47,41 @@ details: - name: "Privacy Dashboard" description: "Microsoft account privacy settings and data management" +limitations: + - "Permission settings do NOT prove applications actually accessed sensitive data" + - "Device capability allowances don't indicate what data was collected" + - "Privacy consent doesn't prove surveillance or unauthorized access occurred" + - "Location permissions don't indicate actual location tracking happened" + - "Contact access permissions don't prove data exfiltration occurred" + - "Capability settings may be legitimate privacy preferences" + +correlation: + required_for_definitive_access_proof: + - "Application logs showing successful data operations using granted permissions" + - "Network traffic logs showing data transmission from apps with device permissions" + - "File system artifacts showing data collected by applications" + - "Process execution logs for applications during permission usage periods" + - "Event logs showing successful device access operations" + + strengthens_evidence: + - "Recent documents or files created by applications with sensitive permissions" + - "Network connections by applications with location or contact access" + - "Registry changes showing application data storage during permission usage" + - "File modifications in application data folders during capability access" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Windows 10" - criticality: "high" investigation_types: - "data-exfiltration" - "malware-analysis" - "insider-threat" + - "behavioral-analysis" tags: - "security" @@ -105,5 +122,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/event_log_config.yml b/artifacts/security-monitoring/event_log_config.yml similarity index 66% rename from artifacts/system/event_log_config.yml rename to artifacts/security-monitoring/event_log_config.yml index 7b51367..74b9864 100644 --- a/artifacts/system/event_log_config.yml +++ b/artifacts/security-monitoring/event_log_config.yml @@ -1,5 +1,5 @@ title: "Event Log Configuration and Settings" -category: "system" +category: "security-monitoring" description: "Windows Event Log size limits, retention policies, enabled/disabled logging channels, and audit configuration" paths: @@ -10,23 +10,22 @@ paths: details: what: | - Windows stores comprehensive event log configuration including maximum log sizes, retention policies, - enabled/disabled channels, log file locations, access permissions, and audit policy settings. - Controls logging behavior for Security, Application, System, Setup, and custom event logs including - modern Windows Event Log (EVTX) channels and legacy event log format settings. + Windows stores comprehensive event log configuration including maximum log sizes, retention + policies, enabled/disabled channels, log file locations, access permissions, and audit policy + settings. Controls logging behavior for Security, Application, System, Setup, and custom event + logs including modern Windows Event Log (EVTX) channels. forensic_value: | - Critical for forensic investigations as it reveals if attackers disabled logging to hide malicious - activity, modified log retention to prevent evidence preservation, or altered audit policies to - avoid detection. Shows evidence tampering attempts, insufficient logging configurations that may - result in missing evidence, and indicates security-conscious modifications that affect investigation - capabilities and timeline reconstruction. + Critical for forensic investigations as it reveals if attackers disabled logging to hide malicious + activity, modified log retention to prevent evidence preservation, or altered audit policies to + avoid detection. Shows evidence tampering attempts and insufficient logging configurations that + may result in missing evidence. structure: | - EventLog service configuration includes log names as subkeys containing MaxSize (maximum bytes), - Retention (retention days), File (log file path), RestrictGuestAccess (access permissions), - and Sources (event sources). WINEVT Channels contain modern event log configuration with - Enabled status, Isolation levels, Access permissions, and MaxSize settings stored as various data types. + EventLog service configuration includes log names as subkeys containing MaxSize (maximum bytes), + Retention (retention days), File (log file path), RestrictGuestAccess (access permissions), + and Sources (event sources). WINEVT Channels contain modern event log configuration with + Enabled status and MaxSize settings. examples: - "Security\\MaxSize: 0x6400000 (100MB maximum log size)" @@ -55,6 +54,28 @@ details: url: "https://eventlogxp.com/" description: "Advanced event log analysis and management tool" +limitations: + - "Event log configuration does NOT prove logging tampering or evidence destruction occurred" + - "Disabled logging channels don't indicate malicious activity caused the changes" + - "Log size limits don't prove events were lost due to insufficient retention" + - "Audit policy settings don't indicate actual audit events were generated" + - "Configuration modifications may be legitimate administrative log management" + - "Log retention settings don't prove evidence was intentionally destroyed" + +correlation: + required_for_definitive_tampering_proof: + - "Event logs showing configuration changes and log clearing events" + - "Registry change logs showing event log configuration modifications" + - "File system artifacts showing log file deletion or modification" + - "Audit logs showing unauthorized access to event log configuration" + - "Process execution logs showing log management utilities being run" + + strengthens_evidence: + - "Event logs showing gaps in logging during suspicious periods" + - "Registry changes in audit policy settings correlating with attack timelines" + - "File modifications in event log directories during configuration changes" + - "Event logs showing log service restarts or configuration reloads" + metadata: windows_versions: - "Windows NT" @@ -75,13 +96,13 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: - "incident-response" - "malware-analysis" - "timeline-analysis" + - "anti-forensics" tags: - "event-logs" @@ -122,5 +143,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/network/firewall_rules.yml b/artifacts/security-monitoring/firewall_rules.yml similarity index 64% rename from artifacts/network/firewall_rules.yml rename to artifacts/security-monitoring/firewall_rules.yml index 7c65a91..c8590f2 100644 --- a/artifacts/network/firewall_rules.yml +++ b/artifacts/security-monitoring/firewall_rules.yml @@ -1,5 +1,5 @@ title: "Windows Firewall Rules and Configuration" -category: "network" +category: "security-monitoring" description: "Firewall rules, exceptions, security policy configurations, and network protection settings" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows stores comprehensive firewall configuration including enabled/disabled status, - firewall rules, port exceptions, application exceptions, network profile settings - for Domain, Private, and Public networks, and Windows Defender Firewall policies. - Controls inbound and outbound traffic filtering, application permissions, and - network security enforcement across different network location types. + Windows firewall configuration including enabled/disabled status, firewall rules, port exceptions, + application exceptions, and network profile settings for Domain, Private, and Public networks. + Controls inbound and outbound traffic filtering and application permissions. forensic_value: | - Shows security posture changes, unauthorized firewall rule modifications, malware - attempts to create network exceptions, and evidence of network policy tampering. - Critical for understanding network security state, identifying firewall bypass - attempts, and revealing unauthorized network access permissions that could - facilitate data exfiltration, lateral movement, or command and control communication. + Shows security posture changes, unauthorized firewall rule modifications, malware attempts to + create network exceptions, and evidence of network policy tampering. Critical for understanding + network security state, identifying firewall bypass attempts, and revealing unauthorized network access permissions. structure: | - Profile-based configuration with subkeys for DomainProfile, StandardProfile - (Private), and PublicProfile containing EnableFirewall, DefaultInboundAction, - DefaultOutboundAction, and detailed rule definitions. Binary data includes - rule specifications, port ranges, application paths, and protocol configurations. + Profile-based configuration with subkeys for DomainProfile, StandardProfile (Private), and PublicProfile + containing EnableFirewall, DefaultInboundAction, DefaultOutboundAction, and detailed rule definitions. + Binary data includes rule specifications, port ranges, and application paths. examples: - "DomainProfile\\EnableFirewall: 1 (firewall enabled)" @@ -53,6 +48,27 @@ details: url: "https://www.binisoft.org/wfc" description: "Third-party firewall management tool for detailed rule analysis" +limitations: + - "Firewall rule configuration does NOT prove network traffic actually occurred" + - "Rule exceptions don't indicate applications successfully communicated through firewall" + - "Disabled firewall settings don't prove network attacks were successful" + - "Port exceptions may be legitimate system requirements, not malicious activity" + - "Application exceptions may be created by legitimate software installations" + - "Rule modifications may be administrative changes, not evidence tampering" + - "Default actions don't show specific traffic that was blocked or allowed" + +correlation: + required_for_definitive_execution_proof: + - "Network traffic logs showing actual connections matching firewall rule criteria" + - "Windows Firewall service logs showing rule enforcement and traffic decisions" + - "Application logs showing successful network communication through firewall" + - "Event logs showing firewall rule changes and policy updates" + + strengthens_evidence: + - "Process execution logs showing applications that created firewall exceptions" + - "Timeline analysis correlating rule changes with suspicious network activity" + - "System configuration changes logs showing administrative firewall modifications" + metadata: windows_versions: - "Windows XP" @@ -124,5 +140,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/security/local_security_policy.yml b/artifacts/security-monitoring/local_security_policy.yml similarity index 65% rename from artifacts/security/local_security_policy.yml rename to artifacts/security-monitoring/local_security_policy.yml index dfcb2da..2747668 100644 --- a/artifacts/security/local_security_policy.yml +++ b/artifacts/security-monitoring/local_security_policy.yml @@ -1,5 +1,5 @@ title: "Local Security Policy Settings" -category: "security" +category: "security-monitoring" description: "Security policies, audit settings, user rights assignments, and Local Security Authority configuration" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Local Security Policy encompasses comprehensive security configuration including audit policies, - user rights assignments, security options, account policies, Local Security Authority (LSA) - settings, and system security behavior controls. Manages authentication requirements, password - policies, account lockout settings, privilege assignments, and security event logging - configuration for complete system security governance. + Local Security Policy encompasses comprehensive security configuration including audit policies, + user rights assignments, security options, account policies, Local Security Authority (LSA) + settings, and system security behavior controls. Manages authentication requirements and logging. forensic_value: | - Critical for detecting security policy modifications that facilitate attacks, privilege - escalation attempts, and evidence tampering through disabled auditing. Shows if attackers - weakened security settings to maintain persistence, disabled logging to hide activities, - or modified authentication requirements to bypass security controls. Essential for understanding - the security posture during incidents and identifying policy-based attack vectors. + Critical for detecting security policy modifications that facilitate attacks, privilege escalation + attempts, and evidence tampering through disabled auditing. Shows if attackers weakened security + settings to maintain persistence or disabled logging to hide activities. structure: | - Security policy data stored in binary format within the SECURITY registry hive. LSA - settings control authentication behavior, audit policies, and security options. Policies - registry contains user-level security restrictions and Group Policy enforcement settings. - Account policies include password requirements, lockout thresholds, and Kerberos settings. + Security policy data stored in binary format within the SECURITY registry hive. LSA settings + control authentication behavior, audit policies, and security options. Policies registry contains + user-level security restrictions and Group Policy enforcement settings. examples: - "AuditLogonEvents: 0 (Logon auditing disabled - potential evidence hiding)" @@ -52,6 +47,28 @@ details: - name: "Security Configuration Wizard" description: "Windows tool for security policy analysis and configuration" +limitations: + - "Security policy settings do NOT prove actual security events occurred" + - "Audit configuration doesn't indicate what events were successfully logged" + - "Password policy settings don't prove weak passwords are in use" + - "Authentication settings don't indicate successful authentication attacks" + - "Policy modifications may be legitimate administrative security adjustments" + - "LSA configuration doesn't prove credential harvesting occurred" + +correlation: + required_for_definitive_attack_proof: + - "Event logs showing successful attacks despite security policy settings" + - "Authentication logs confirming weak password exploitation" + - "Audit trail gaps correlating with disabled auditing periods" + - "Registry changes showing security policy modifications during attack windows" + - "Process execution logs showing privilege escalation using weakened policies" + + strengthens_evidence: + - "Event logs showing multiple failed authentication attempts during weak policy periods" + - "File system access logs showing unauthorized access during reduced security" + - "Network logs showing lateral movement during disabled auditing periods" + - "User activity logs showing suspicious behavior during security policy changes" + metadata: windows_versions: - "Windows NT" @@ -72,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -80,6 +96,7 @@ metadata: - "incident-response" - "lateral-movement" - "malware-analysis" + - "anti-forensics" tags: - "security-policy" @@ -119,5 +136,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/malware/quarantine.yml b/artifacts/security-monitoring/malware_quarantine.yml similarity index 62% rename from artifacts/malware/quarantine.yml rename to artifacts/security-monitoring/malware_quarantine.yml index 0f62596..05f524e 100644 --- a/artifacts/malware/quarantine.yml +++ b/artifacts/security-monitoring/malware_quarantine.yml @@ -1,5 +1,5 @@ title: "Malware Quarantine and Detection History" -category: "malware" +category: "security-monitoring" description: "Anti-malware quarantine locations, detection history, threat signatures, and security incident tracking" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows anti-malware quarantine system maintains comprehensive records of detected threats, - quarantined files, malware signatures, threat classifications, detection timestamps, and - security incident tracking. Manages isolated malicious files, threat analysis results, - automatic response actions, and malware family identification for comprehensive endpoint - protection and forensic analysis capabilities. + Windows anti-malware quarantine system maintains records of detected threats, quarantined files, + malware signatures, threat classifications, and detection timestamps. Manages isolated malicious + files and automatic response actions for endpoint protection. forensic_value: | - Essential for malware incident analysis, threat timeline reconstruction, and understanding - attack vectors used against the system. Shows evidence of malware detection, quarantine - actions, threat persistence attempts, and security software effectiveness. Critical for - identifying attack campaigns, malware families, and establishing infection timelines. - Provides direct evidence of malicious activity and security response effectiveness. + Shows evidence of malware detection, quarantine actions, and threat persistence attempts. Critical + for identifying attack campaigns, malware families, and establishing infection timelines. Provides + direct evidence of malicious activity and security response effectiveness. structure: | - Quarantine entries contain threat identifiers, file locations, detection timestamps, threat - categories, and quarantine actions. ThreatIDDefaultAction maps threat identifiers to - automatic response behaviors. RemovalTools contains malware removal utility execution - history and specialized cleaning tool deployment information with binary threat data. + Quarantine entries contain threat identifiers, file locations, detection timestamps, and threat + categories. ThreatIDDefaultAction maps threat identifiers to automatic response behaviors. + RemovalTools contains malware removal utility execution history. examples: - "Quarantine\\{12345678-1234-5678-9abc-123456789abc}: Quarantined malware file" @@ -52,6 +47,28 @@ details: - name: "Threat Intelligence Platform" description: "Enterprise threat analysis and malware family identification tools" +limitations: + - "Quarantine records do NOT prove malware execution or successful compromise" + - "Detection events may be false positives flagging legitimate software" + - "Quarantine action doesn't indicate what damage malware may have caused" + - "Threat signatures can miss advanced or zero-day malware variants" + - "Detection timestamps show discovery, not initial infection or execution time" + - "Quarantined files may be inert or caught before becoming active" + +correlation: + required_for_definitive_compromise_proof: + - "Process execution logs showing malware launch before quarantine" + - "File system artifacts showing malware activity (files created, modified)" + - "Network logs showing malicious communication before detection" + - "Registry modifications made by malware before quarantine" + - "Event logs showing successful malware execution and system changes" + + strengthens_evidence: + - "AmCache or ShimCache entries showing malware file presence before quarantine" + - "UserAssist showing user interaction with malware before detection" + - "Browser downloads or email attachments containing the quarantined malware" + - "Scheduled tasks or registry persistence mechanisms created by malware" + metadata: windows_versions: - "Windows Vista" @@ -66,8 +83,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows Vista (Windows Defender)" - + introduced: "Windows Vista" criticality: "high" investigation_types: @@ -75,6 +91,7 @@ metadata: - "incident-response" - "timeline-analysis" - "behavioral-analysis" + - "anti-forensics" tags: - "malware" @@ -115,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/performance_monitoring.yml b/artifacts/security-monitoring/performance_monitoring.yml similarity index 60% rename from artifacts/system/performance_monitoring.yml rename to artifacts/security-monitoring/performance_monitoring.yml index 35d2202..09d43db 100644 --- a/artifacts/system/performance_monitoring.yml +++ b/artifacts/security-monitoring/performance_monitoring.yml @@ -1,5 +1,5 @@ title: "Performance Monitoring and System Health" -category: "system" +category: "security-monitoring" description: "Performance counters, system monitoring, reliability tracking, and health assessment configuration" paths: @@ -10,26 +10,21 @@ paths: details: what: | - Windows Performance Toolkit configuration encompasses performance counter definitions, - system health monitoring, reliability tracking, performance data collection settings, - and monitoring service configurations. Controls system optimization metrics, performance - baseline establishment, and health tracking capabilities essential for system analysis - and troubleshooting in enterprise and forensic environments. + Windows Performance Toolkit configuration encompasses performance counter definitions, system + health monitoring, reliability tracking, performance data collection settings, and monitoring + service configurations. Controls system optimization metrics, performance baseline establishment, + and health tracking capabilities essential for system analysis and troubleshooting. forensic_value: | - Performance monitoring can be disabled to hide malicious activity that would cause - system performance degradation, shows system health indicators that may reveal compromise, - and provides baseline information for detecting anomalous system behavior. Reliability - data tracks application crashes and system failures that could indicate malware activity, - while disabled performance counters may suggest attempts to hide resource-intensive - malicious processes or cryptocurrency mining activities. + Performance monitoring can be disabled to hide malicious activity that would cause system + performance degradation, shows system health indicators that may reveal compromise, and provides + baseline information for detecting anomalous system behavior. Reliability data tracks application + crashes that could indicate malware activity. structure: | - Performance library configuration includes counter definitions with Last Counter and - Last Help values, provider registration for performance data sources, collection intervals, - and monitoring service settings. Reliability tracking maintains system stability metrics, - application crash data, and performance degradation indicators stored as various registry - data types including binary performance data structures. + Performance library configuration includes counter definitions with Last Counter and Last Help + values, provider registration for performance data sources, collection intervals, and monitoring + service settings. Reliability tracking maintains system stability metrics and application crash data. examples: - "Perflib\\Last Counter: 1846 (Latest performance counter identifier)" @@ -55,6 +50,28 @@ details: url: "https://docs.microsoft.com/en-us/windows-hardware/test/wpt/" description: "Windows Performance Toolkit for advanced system analysis" +limitations: + - "Performance monitoring configuration does NOT prove malicious activity occurred" + - "Disabled performance counters don't indicate malware was actively hiding" + - "System health metrics may be affected by legitimate system issues" + - "Configuration changes may be for legitimate system optimization" + - "Reliability data doesn't prove crashes were caused by malicious software" + - "Performance settings may be modified for operational rather than malicious reasons" + +correlation: + required_for_definitive_impact_proof: + - "Actual performance monitoring data showing system degradation during attack periods" + - "Event logs showing performance counter modifications and monitoring service changes" + - "Process execution logs showing resource-intensive malicious applications" + - "File system artifacts showing performance data collection and analysis results" + - "Registry changes showing performance configuration modifications during suspicious periods" + + strengthens_evidence: + - "System resource usage logs showing abnormal activity patterns" + - "Event logs showing application crashes and system instability" + - "Registry changes in related system monitoring configurations during attack timeframes" + - "File modifications in performance monitoring directories during configuration changes" + metadata: windows_versions: - "Windows NT" @@ -75,12 +92,12 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "low" investigation_types: - "malware-analysis" - "incident-response" + - "behavioral-analysis" tags: - "performance-monitoring" @@ -117,5 +134,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/uac.yml b/artifacts/security-monitoring/uac.yml similarity index 56% rename from artifacts/security/uac.yml rename to artifacts/security-monitoring/uac.yml index 394b6a1..f988e3c 100644 --- a/artifacts/security/uac.yml +++ b/artifacts/security-monitoring/uac.yml @@ -1,5 +1,5 @@ title: "User Account Control (UAC) Configuration" -category: "security" +category: "security-monitoring" description: "UAC elevation policies, prompt behavior, and administrative approval mode settings" paths: @@ -9,24 +9,19 @@ paths: details: what: | - User Account Control (UAC) manages privilege elevation requests and administrative - approval mode for standard users and administrators. Registry controls prompt - behavior, elevation policies, secure desktop usage, and administrative token - filtering to prevent unauthorized privilege escalation and enhance system - security through controlled administrative access and user consent requirements. + User Account Control (UAC) manages privilege elevation requests and administrative approval mode + for standard users and administrators. Registry controls prompt behavior, elevation policies, + secure desktop usage, and administrative token filtering to prevent unauthorized privilege escalation. forensic_value: | - Critical for investigating privilege escalation attempts, UAC bypass techniques, - and unauthorized administrative access. Shows evidence of UAC policy modifications - that could weaken security, reveals attempts to disable security prompts, and + Critical for investigating privilege escalation attempts, UAC bypass techniques, and unauthorized + administrative access. Shows evidence of UAC policy modifications that could weaken security and indicates sophisticated attacks targeting Windows privilege control mechanisms. - Essential for detecting UAC bypass malware and administrative rights abuse. structure: | - UAC configuration includes EnableLUA (UAC enabled/disabled), ConsentPromptBehaviorAdmin - (admin prompt behavior), ConsentPromptBehaviorUser (standard user prompts), - PromptOnSecureDesktop (secure desktop usage), and EnableInstallerDetection - (installer privilege detection) for comprehensive privilege control analysis. + UAC configuration includes EnableLUA (UAC enabled/disabled), ConsentPromptBehaviorAdmin (admin + prompt behavior), ConsentPromptBehaviorUser (standard user prompts), PromptOnSecureDesktop + (secure desktop usage), and EnableInstallerDetection (installer privilege detection). examples: - "EnableLUA: 1 (UAC enabled)" @@ -46,6 +41,28 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "UAC configuration does NOT prove privilege escalation attacks occurred" + - "Disabled UAC settings don't indicate successful unauthorized elevation" + - "Policy modifications may be legitimate administrative security adjustments" + - "Prompt behavior settings don't prove bypass techniques were used" + - "Configuration changes don't indicate actual privilege abuse happened" + - "UAC settings may be enterprise-configured for operational requirements" + +correlation: + required_for_definitive_bypass_proof: + - "Event logs showing successful privilege escalation despite UAC settings" + - "Process execution logs showing elevated processes launched without proper authorization" + - "Registry changes showing unauthorized modifications during weakened UAC periods" + - "File system artifacts showing administrative operations performed by standard users" + - "Application logs showing successful bypass of UAC restrictions" + + strengthens_evidence: + - "Event logs showing UAC prompt suppression or bypass attempts" + - "Process execution with administrative privileges during UAC configuration changes" + - "Registry modifications in administrative areas during reduced UAC enforcement" + - "File system access to protected areas correlating with UAC setting changes" + metadata: windows_versions: - "Windows Vista" @@ -56,13 +73,13 @@ metadata: - "Windows 11" introduced: "Windows Vista" - criticality: "high" investigation_types: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "privilege-escalation" tags: - "uac" @@ -94,5 +111,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/windows_defender_app_guard.yml b/artifacts/security-monitoring/windows_defender_app_guard.yml similarity index 57% rename from artifacts/security/windows_defender_app_guard.yml rename to artifacts/security-monitoring/windows_defender_app_guard.yml index 572bb5c..d01ff8c 100644 --- a/artifacts/security/windows_defender_app_guard.yml +++ b/artifacts/security-monitoring/windows_defender_app_guard.yml @@ -1,5 +1,5 @@ title: "Windows Defender Application Guard" -category: "security" +category: "security-monitoring" description: "Application Guard isolation, virtualization settings, and enterprise security configuration" paths: @@ -10,25 +10,19 @@ paths: details: what: | - Windows Defender Application Guard (WDAG) provides hardware-based isolation for - Microsoft Edge and Office applications using Hyper-V virtualization technology. - Registry manages isolation policies, virtualization settings, data persistence - rules, and enterprise configuration for protecting against advanced threats - through application-level containerization and secure browsing environments. + Windows Defender Application Guard (WDAG) provides hardware-based isolation for Microsoft Edge + and Office applications using Hyper-V virtualization technology. Registry manages isolation + policies, virtualization settings, data persistence rules, and enterprise configuration. forensic_value: | - Critical for investigating attempts to bypass enterprise security controls, - reveals configuration changes that could weaken isolation protections, shows - evidence of sophisticated attacks targeting virtualized environments, and - indicates potential security policy violations. Can reveal attempts to disable - security features or evidence of advanced persistent threats targeting - enterprise browser security mechanisms. + Critical for investigating attempts to bypass enterprise security controls, reveals configuration + changes that could weaken isolation protections, and shows evidence of sophisticated attacks + targeting virtualized environments. Can reveal attempts to disable security features. structure: | - WindowsApplicationGuard contains feature enablement settings, isolation policies, - and data persistence configuration. AppHVSI policy entries control enterprise - settings for clipboard access, file downloads, printing, and camera/microphone - usage within isolated environments. Service configuration manages virtualization components. + WindowsApplicationGuard contains feature enablement settings, isolation policies, and data + persistence configuration. AppHVSI policy entries control enterprise settings for clipboard + access, file downloads, printing, and camera/microphone usage within isolated environments. examples: - "Enabled: 1 (Application Guard enabled)" @@ -49,18 +43,40 @@ details: - name: "Hyper-V Manager" description: "Virtualization platform management for Application Guard" +limitations: + - "Application Guard configuration does NOT prove isolation bypass occurred" + - "Policy settings don't indicate successful security feature circumvention" + - "Configuration changes may be legitimate enterprise security adjustments" + - "Isolation settings don't prove malicious activity within containerized environments" + - "Virtualization configuration doesn't indicate actual threat protection effectiveness" + - "Enterprise policies may be modified for operational rather than malicious purposes" + +correlation: + required_for_definitive_bypass_proof: + - "Event logs showing successful isolation container escapes" + - "Process execution logs showing unauthorized access to host system from container" + - "Network traffic logs showing unauthorized communication from isolated environment" + - "File system artifacts showing data exfiltration from containerized applications" + - "Registry changes showing Application Guard policy modifications during attacks" + + strengthens_evidence: + - "Browser logs showing attempts to access restricted content during isolation" + - "Hyper-V event logs showing container creation and modification events" + - "File system access logs showing unauthorized file operations in isolation mode" + - "Network logs showing communication attempts blocked by Application Guard" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Windows 10 Anniversary Update (1607)" - criticality: "high" investigation_types: - "incident-response" - "insider-threat" + - "malware-analysis" tags: - "application-guard" @@ -96,5 +112,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/windows_defender_security.yml b/artifacts/security-monitoring/windows_defender_security.yml similarity index 63% rename from artifacts/security/windows_defender_security.yml rename to artifacts/security-monitoring/windows_defender_security.yml index 1485481..44f8063 100644 --- a/artifacts/security/windows_defender_security.yml +++ b/artifacts/security-monitoring/windows_defender_security.yml @@ -1,5 +1,5 @@ title: "Windows Defender and Security Configuration" -category: "security" +category: "security-monitoring" description: "Windows Defender settings, exclusions, security policies, and threat protection configuration" paths: @@ -11,22 +11,19 @@ paths: details: what: | - Windows Defender (Windows Security) configuration including real-time protection - settings, scan exclusions, threat detection policies, User Account Control (UAC) - settings, and security feature states. Controls system security posture, malware - detection capabilities, and security policy enforcement mechanisms. + Windows Defender (Windows Security) configuration including real-time protection settings, + scan exclusions, threat detection policies, User Account Control (UAC) settings, and security + feature states. Controls system security posture and malware detection capabilities. forensic_value: | - Shows if security features were disabled to facilitate malware execution, - reveals exclusion paths that attackers may have added, and indicates - security policy modifications. Critical for understanding security bypass techniques, - identifying potential compromise indicators, and assessing security posture during incidents. + Shows if security features were disabled to facilitate malware execution, reveals exclusion + paths that attackers may have added, and indicates security policy modifications. Critical for + understanding security bypass techniques and assessing security posture during incidents. structure: | - Defender settings include DisableAntiSpyware, DisableRealtimeMonitoring, - scan exclusions, update configurations, and threat response settings. UAC settings - control elevation prompts and administrator approval mode. Binary policy data - controls feature enablement and security enforcement levels. + Defender settings include DisableAntiSpyware, DisableRealtimeMonitoring, scan exclusions, update + configurations, and threat response settings. UAC settings control elevation prompts and + administrator approval mode. Binary policy data controls feature enablement. examples: - "DisableAntiSpyware: 1 (Windows Defender disabled)" @@ -51,6 +48,28 @@ details: - name: "Windows Defender Configuration Analyzer" description: "Custom tools for security configuration assessment" +limitations: + - "Security settings do NOT prove malware execution or successful attacks occurred" + - "Disabled protection doesn't indicate actual threat exploitation happened" + - "Exclusion paths may be legitimate software compatibility requirements" + - "Configuration changes may be authorized administrative security adjustments" + - "Security policy modifications don't prove malicious activity took place" + - "UAC settings may be enterprise-configured for operational efficiency" + +correlation: + required_for_definitive_compromise_proof: + - "Event logs showing malware execution during disabled protection periods" + - "File system artifacts showing malware activity in excluded paths" + - "Process execution logs showing threats launched during weakened security" + - "Network traffic logs showing malicious communication during disabled monitoring" + - "Quarantine logs showing threats detected before security modifications" + + strengthens_evidence: + - "Registry changes showing security setting modifications during attack timeframes" + - "Event logs showing security feature disabling followed by suspicious activity" + - "File modifications in excluded directories during security policy changes" + - "Process execution with elevated privileges during UAC configuration changes" + metadata: windows_versions: - "Windows Vista" @@ -65,8 +84,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows Vista (as Windows Defender)" - + introduced: "Windows Vista" criticality: "high" investigation_types: @@ -74,6 +92,7 @@ metadata: - "incident-response" - "behavioral-analysis" - "persistence-analysis" + - "anti-forensics" tags: - "security" @@ -119,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/windows_firewall.yml b/artifacts/security-monitoring/windows_firewall.yml similarity index 57% rename from artifacts/security/windows_firewall.yml rename to artifacts/security-monitoring/windows_firewall.yml index db029d5..8885141 100644 --- a/artifacts/security/windows_firewall.yml +++ b/artifacts/security-monitoring/windows_firewall.yml @@ -1,5 +1,5 @@ title: "Windows Firewall Advanced Rules and Exceptions" -category: "security" +category: "security-monitoring" description: "Detailed firewall rules, port exceptions, application permissions, and network security policies" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows Firewall Advanced Rules manage granular network traffic control including - application-specific permissions, port exceptions, protocol filtering, and profile-based - security policies. Registry stores detailed rule configurations, inbound/outbound - traffic permissions, network location-based profiles, and exception lists for - comprehensive network security management and threat protection. + Windows Firewall Advanced Rules manage granular network traffic control including application-specific + permissions, port exceptions, protocol filtering, and profile-based security policies. Registry + stores detailed rule configurations and inbound/outbound traffic permissions. forensic_value: | - Critical for investigating network-based attacks, unauthorized network access, - and malware communication attempts. Shows evidence of firewall rule modifications - that could enable data exfiltration, reveals custom exceptions that bypass security, - and indicates sophisticated attacks that modify network security policies. - Essential for analyzing network security bypasses and unauthorized communications. + Critical for investigating network-based attacks, unauthorized network access, and malware + communication attempts. Shows evidence of firewall rule modifications that could enable data + exfiltration, reveals custom exceptions that bypass security, and indicates sophisticated attacks. structure: | - FirewallRules contain pipe-delimited rule definitions including direction (In/Out), - action (Allow/Block), protocol, local/remote ports, application paths, and profiles. - Profile-specific configurations control firewall behavior for domain, private, - and public networks with different security postures and rule enforcement levels. + FirewallRules contain pipe-delimited rule definitions including direction (In/Out), action + (Allow/Block), protocol, local/remote ports, application paths, and profiles. Profile-specific + configurations control firewall behavior for domain, private, and public networks. examples: - "Rule: v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=80|App=C:\\Program Files\\App\\app.exe" @@ -48,6 +43,28 @@ details: - name: "Windows Firewall Analysis Tools" description: "Third-party tools for firewall rule analysis and audit" +limitations: + - "Firewall rules do NOT prove network communication actually occurred" + - "Exception rules don't indicate successful data transmission or exfiltration" + - "Rule modifications may be legitimate network configuration changes" + - "Application permissions don't prove malicious network activity happened" + - "Disabled firewall settings don't prove unauthorized network access occurred" + - "Port exceptions may be required for legitimate business applications" + +correlation: + required_for_definitive_communication_proof: + - "Network traffic logs showing actual data transmission through firewall exceptions" + - "Event logs showing successful network connections using allowed rules" + - "Process execution logs showing applications utilizing firewall permissions" + - "File system artifacts showing data received or transmitted through firewall rules" + - "Application logs showing successful network operations through configured exceptions" + + strengthens_evidence: + - "Registry changes showing firewall rule modifications during suspicious timeframes" + - "Network interface logs showing traffic matching configured firewall rules" + - "Event logs showing firewall rule triggering during network activity" + - "Process execution with network access correlating to firewall exception usage" + metadata: windows_versions: - "Windows Vista" @@ -57,14 +74,14 @@ metadata: - "Windows 10" - "Windows 11" - introduced: "Windows Vista (Advanced Firewall)" - + introduced: "Windows Vista" criticality: "high" investigation_types: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "data-exfiltration" tags: - "firewall" @@ -96,5 +113,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/security_center.yml b/artifacts/security-monitoring/windows_security_center.yml similarity index 62% rename from artifacts/system/security_center.yml rename to artifacts/security-monitoring/windows_security_center.yml index 16b2764..cba9375 100644 --- a/artifacts/system/security_center.yml +++ b/artifacts/security-monitoring/windows_security_center.yml @@ -1,5 +1,5 @@ title: "Windows Security Center Configuration" -category: "system" +category: "security-monitoring" description: "Security Center monitoring, security provider registration, and notification management" paths: @@ -10,25 +10,22 @@ paths: details: what: | - Windows Security Center provides centralized monitoring and reporting of security status - including firewall, antivirus, anti-spyware, and update status. Manages security provider - registration, user notification settings, security status aggregation, and health monitoring - for comprehensive system security oversight. Controls security warning displays and - provider integration for enterprise and standalone systems. + Windows Security Center provides centralized monitoring and reporting of security status + including firewall, antivirus, anti-spyware, and update status. Manages security provider + registration, user notification settings, security status aggregation, and health monitoring + for comprehensive system security oversight. forensic_value: | - Critical for identifying attempts to hide security status from users, reveals disabled - security notifications that may indicate compromise, shows registered security providers - that could be malicious software, and indicates security policy modifications designed - to suppress security warnings. Attackers often disable Security Center notifications + Critical for identifying attempts to hide security status from users, reveals disabled + security notifications that may indicate compromise, and shows registered security providers + that could be malicious software. Attackers often disable Security Center notifications to prevent users from discovering security software disabling or malware presence. structure: | - Security Center configuration includes monitoring settings for individual security - categories, provider registration data with capabilities and status information, - notification policies, and user interface control settings. Provider information - stored with GUIDs, product names, and security service capabilities including - antivirus, firewall, and anti-spyware functionality definitions. + Security Center configuration includes monitoring settings for individual security categories, + provider registration data with capabilities and status information, notification policies, + and user interface control settings. Provider information stored with GUIDs, product names, + and security service capabilities. examples: - "SecurityCenter\\DisableNotifications: 1 (All notifications suppressed)" @@ -53,9 +50,31 @@ details: - name: "Group Policy Editor (gpedit.msc)" description: "Policy management for Security Center configuration" +limitations: + - "Security Center configuration does NOT prove security bypass attacks occurred" + - "Disabled notifications don't indicate actual security software was compromised" + - "Provider registration may include legitimate enterprise security tools" + - "Configuration changes may be authorized administrative security adjustments" + - "Suppressed warnings don't prove malicious activity was successfully hidden" + - "Security status overrides may be for legitimate operational requirements" + +correlation: + required_for_definitive_compromise_proof: + - "Event logs showing actual security software disabling or malware execution" + - "File system artifacts showing malicious software activity during disabled monitoring" + - "Process execution logs showing security software tampering or malware execution" + - "Registry changes showing security configuration modifications during attack periods" + - "Application logs showing security provider failures or malicious registration" + + strengthens_evidence: + - "Event logs showing security status changes correlating with suspicious activity" + - "Registry changes in security software configurations during notification disabling" + - "File modifications in security provider directories during provider registration changes" + - "Network logs showing malware communication during disabled security monitoring" + metadata: windows_versions: - - "Windows XP SP2" + - "Windows XP" - "Windows Vista" - "Windows 7" - "Windows 8" @@ -70,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: @@ -78,6 +96,7 @@ metadata: - "lateral-movement" - "malware-analysis" - "incident-response" + - "anti-forensics" tags: - "security-center" @@ -114,5 +133,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/security/explorer_policies.yml b/artifacts/security-monitoring/windwos_explorer_policies.yml similarity index 67% rename from artifacts/security/explorer_policies.yml rename to artifacts/security-monitoring/windwos_explorer_policies.yml index a886cef..ac0f4e7 100644 --- a/artifacts/security/explorer_policies.yml +++ b/artifacts/security-monitoring/windwos_explorer_policies.yml @@ -1,5 +1,5 @@ title: "Windows Explorer Policies and Restrictions" -category: "security" +category: "security-monitoring" description: "Explorer restrictions, folder access policies, user interface limitations, and administrative controls" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows Explorer policy framework controls user interface restrictions, folder access permissions, - desktop limitations, shell behavior modifications, and administrative security controls. Manages - Group Policy enforcement for Explorer functionality, file system access restrictions, and - user interface element visibility. Provides comprehensive control over user interaction - capabilities with the Windows shell and file system navigation. + Windows Explorer policy framework controls user interface restrictions, folder access permissions, + desktop limitations, shell behavior modifications, and administrative security controls. Manages + Group Policy enforcement for Explorer functionality and file system access restrictions. forensic_value: | - Critical for investigating administrative security bypass attempts, policy modifications that - facilitate unauthorized access, and evidence of system restrictions being circumvented. Shows - if attackers disabled security controls to hide malicious activity, modified user interface - restrictions to access administrative tools, or bypassed folder access limitations to reach - sensitive data. Essential for understanding security posture during incidents. + Critical for investigating administrative security bypass attempts, policy modifications that + facilitate unauthorized access, and evidence of system restrictions being circumvented. Shows + if attackers disabled security controls to hide malicious activity or modified restrictions. structure: | - Policy values stored as REG_DWORD entries controlling specific Explorer restrictions and - behaviors. Common policies include NoRun (disable Run dialog), NoControlPanel (hide Control Panel), - NoDesktop (disable desktop), NoFileMenu (disable File menu), and folder access restrictions. - Advanced settings control file system behavior, hidden file visibility, and extension display. + Policy values stored as REG_DWORD entries controlling specific Explorer restrictions and behaviors. + Common policies include NoRun (disable Run dialog), NoControlPanel (hide Control Panel), and + folder access restrictions. Advanced settings control file system behavior. examples: - "NoRun: 1 (Run dialog disabled - restricts command execution)" @@ -38,7 +33,7 @@ details: - "HideFileExt: 0 (Show file extensions - security enhancement)" - "NoFolderOptions: 1 (Folder Options access disabled)" - "RestrictRun: 1 (Restrict specific executable execution)" - + tools: - name: "Group Policy Editor (gpedit.msc)" description: "Built-in Windows Group Policy management interface" @@ -52,6 +47,28 @@ details: - name: "PolicyAnalyzer" description: "Third-party tools for comprehensive Group Policy analysis" +limitations: + - "Policy settings do NOT prove security bypass attempts occurred" + - "Restriction modifications may be legitimate administrative changes" + - "Explorer limitations don't indicate successful policy circumvention" + - "Interface restrictions don't prove unauthorized access happened" + - "Policy enforcement may have legitimate business or security justifications" + - "Setting modifications don't indicate malicious intent or compromise" + +correlation: + required_for_definitive_bypass_proof: + - "Event logs showing unauthorized access despite policy restrictions" + - "Process execution logs showing restricted applications launched successfully" + - "File system artifacts showing access to restricted folders or files" + - "Registry changes showing policy modifications during suspicious timeframes" + - "Application logs showing successful operations despite interface restrictions" + + strengthens_evidence: + - "User activity logs showing attempts to access restricted functionality" + - "Registry changes in other security settings during policy modification periods" + - "Event logs showing Group Policy refresh attempts during restriction changes" + - "File modifications in system areas despite access restrictions" + metadata: windows_versions: - "Windows 95" @@ -73,13 +90,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "medium" investigation_types: - "insider-threat" - "lateral-movement" - "behavioral-analysis" + - "privilege-escalation" tags: - "security" @@ -119,5 +136,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/applocker_policies.yml b/artifacts/system-modifications/applocker_policies.yml similarity index 65% rename from artifacts/system/applocker_policies.yml rename to artifacts/system-modifications/applocker_policies.yml index 9b67c47..27097f0 100644 --- a/artifacts/system/applocker_policies.yml +++ b/artifacts/system-modifications/applocker_policies.yml @@ -1,5 +1,5 @@ title: "AppLocker Application Control Policies" -category: "system" +category: "system-modifications" description: "Advanced application whitelisting rules, execution control policies, and security bypass detection" paths: @@ -9,23 +9,20 @@ paths: details: what: | - AppLocker provides advanced application control policies that replace Software Restriction Policies - in modern Windows environments. Creates sophisticated whitelisting rules based on publisher signatures, - file paths, file hashes, and application packages. Controls execution of executables, scripts, - Windows Installer files, DLLs, and packaged applications with granular policy enforcement. + AppLocker provides advanced application control policies that replace Software Restriction Policies + in modern Windows environments. Creates sophisticated whitelisting rules based on publisher signatures, + file paths, file hashes, and application packages. Controls execution of executables, scripts, + Windows Installer files, DLLs, and packaged applications. forensic_value: | - Critical for identifying security policy bypass attempts, unauthorized application execution, - and sophisticated attack techniques that circumvent application controls. Shows evidence of - policy modifications that enable malware execution, reveals authorized application lists that - may indicate system purpose, and provides insight into administrative security posture. - Essential for detecting advanced persistent threats that modify security policies for persistence. + Critical for identifying security policy bypass attempts, unauthorized application execution, + and sophisticated attack techniques that circumvent application controls. Shows evidence of + policy modifications that enable malware execution and reveals authorized application lists. structure: | - SrpV2 registry contains rule collections organized by file type (Exe, Msi, Script, Dll, Appx) - with XML policy data defining allow/deny rules. Each rule collection includes enforcement mode, - rule conditions (publisher, path, hash), and exception handling. Policy data stored as - REG_SZ XML format with digital signatures for integrity verification. + SrpV2 registry contains rule collections organized by file type (Exe, Msi, Script, Dll, Appx) + with XML policy data defining allow/deny rules. Each rule collection includes enforcement mode, + rule conditions (publisher, path, hash), and exception handling stored as REG_SZ XML format. examples: - "Exe\\Policy: " @@ -48,6 +45,28 @@ details: - name: "AppLocker Policy Analyzer" description: "Third-party tools for AppLocker policy assessment" +limitations: + - "AppLocker policies do NOT prove bypass attempts or security violations occurred" + - "Rule configurations don't indicate actual application execution or blocking events" + - "Policy modifications may be legitimate administrative security adjustments" + - "Enforcement mode settings don't prove unauthorized applications were executed" + - "Exception rules may be required for legitimate business applications" + - "Policy presence doesn't indicate actual effectiveness or compliance" + +correlation: + required_for_definitive_bypass_proof: + - "Event logs showing blocked or allowed application execution events" + - "Process execution logs showing unauthorized applications running despite policies" + - "Application logs showing successful execution of applications outside policy rules" + - "File system artifacts showing unauthorized applications executed in restricted environments" + - "Registry changes showing policy modifications during suspicious activity periods" + + strengthens_evidence: + - "Event logs showing AppLocker rule triggering during execution attempts" + - "Policy change logs showing rule modifications correlating with attack timelines" + - "Process execution showing applications launched through policy bypass techniques" + - "File system access showing unauthorized application installation attempts" + metadata: windows_versions: - "Windows 7" @@ -62,13 +81,13 @@ metadata: - "Windows Server 2022" introduced: "Windows 7" - criticality: "high" investigation_types: - "malware-analysis" - "privilege-escalation" - "incident-response" + - "anti-forensics" tags: - "applocker" @@ -105,5 +124,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/boot_configuration.yml b/artifacts/system-modifications/boot_configuration.yml similarity index 60% rename from artifacts/system/boot_configuration.yml rename to artifacts/system-modifications/boot_configuration.yml index 0ce2729..5c3dcb7 100644 --- a/artifacts/system/boot_configuration.yml +++ b/artifacts/system-modifications/boot_configuration.yml @@ -1,5 +1,5 @@ title: "Boot Configuration and Startup Settings" -category: "system" +category: "system-modifications" description: "System boot configuration, safe mode settings, BCD entries, and startup recovery options" paths: @@ -10,23 +10,21 @@ paths: details: what: | - Windows boot configuration encompasses safe mode settings, Boot Configuration Data (BCD) registry - entries, session manager configuration, crash control settings, and startup options that control - system initialization behavior. Manages boot menu options, recovery settings, safe mode driver - loading, and system startup troubleshooting capabilities for comprehensive boot process control. + Windows boot configuration encompasses safe mode settings, Boot Configuration Data (BCD) + registry entries, session manager configuration, crash control settings, and startup options + that control system initialization behavior. Manages boot menu options, recovery settings, + and safe mode driver loading. forensic_value: | - Reveals if system was booted in safe mode to evade security software, shows boot configuration - changes indicating system tampering or recovery attempts, provides evidence of system modifications - that affect startup behavior, and indicates attempts to disable security features through boot - parameter manipulation. Critical for understanding system state during incidents and detecting - boot-level persistence mechanisms or evasion techniques. + Reveals if system was booted in safe mode to evade security software, shows boot configuration + changes indicating system tampering or recovery attempts, and indicates attempts to disable + security features through boot parameter manipulation. Critical for understanding system state + during incidents. structure: | - SafeBoot contains Minimal and Network subkeys with drivers and services that load in safe mode. - Session Manager includes BootExecute (boot-time programs), GlobalFlag (debugging options), and - CriticalDeviceTimeout settings. BCD entries control boot menu options, recovery settings, and - boot parameters stored as binary data with specific formatting requirements. + SafeBoot contains Minimal and Network subkeys with drivers and services that load in safe mode. + Session Manager includes BootExecute (boot-time programs), GlobalFlag (debugging options), and + CriticalDeviceTimeout settings. BCD entries control boot menu options stored as binary data. examples: - "SafeBoot\\Minimal\\{36FC9E60-C465-11CF-8056-444553540000}: Universal Plug and Play" @@ -51,6 +49,28 @@ details: - name: "Advanced Boot Options" description: "Windows built-in boot menu for troubleshooting" +limitations: + - "Boot configuration does NOT prove system was actually booted in safe mode" + - "Safe mode settings don't indicate what activities occurred during safe mode boot" + - "BCD modifications may be legitimate system recovery or maintenance changes" + - "Crash control settings don't prove actual system crashes or memory dumps occurred" + - "Boot parameter changes may be for troubleshooting rather than malicious purposes" + - "Session manager settings don't indicate actual boot execution results" + +correlation: + required_for_definitive_boot_evidence: + - "Event logs showing safe mode boot events and startup service loading" + - "System logs confirming actual boot mode used during suspicious periods" + - "File system artifacts showing activity performed during safe mode sessions" + - "Registry changes showing configuration modifications during boot or safe mode" + - "Process execution logs showing applications launched during safe mode operation" + + strengthens_evidence: + - "Boot sector analysis showing configuration changes at disk level" + - "Event logs showing boot configuration modifications and their timestamps" + - "File modifications in boot directories during configuration change periods" + - "Registry changes in other system areas during boot parameter modifications" + metadata: windows_versions: - "Windows Vista" @@ -65,8 +85,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows Vista (BCD system)" - + introduced: "Windows Vista" criticality: "medium" investigation_types: @@ -74,6 +93,7 @@ metadata: - "malware-analysis" - "lateral-movement" - "privilege-escalation" + - "anti-forensics" tags: - "boot-configuration" @@ -110,5 +130,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/computer_name.yml b/artifacts/system-modifications/computer_name.yml similarity index 65% rename from artifacts/system/computer_name.yml rename to artifacts/system-modifications/computer_name.yml index 82ea06d..2bfdca3 100644 --- a/artifacts/system/computer_name.yml +++ b/artifacts/system-modifications/computer_name.yml @@ -1,5 +1,5 @@ title: "Computer Name and Domain Information" -category: "system" +category: "system-modifications" description: "System hostname, domain membership, workgroup settings, and network identification parameters" paths: @@ -10,24 +10,20 @@ paths: details: what: | - Windows computer identification information encompasses hostname configuration, NetBIOS name - settings, domain membership status, workgroup assignments, DNS hostname configuration, and - network identification parameters essential for network communication, authentication, and - resource access. Manages both current and pending computer name changes with proper - reboot handling for seamless network identity management. + Windows computer identification information encompasses hostname configuration, NetBIOS name + settings, domain membership status, workgroup assignments, DNS hostname configuration, and + network identification parameters essential for network communication and authentication. forensic_value: | - Essential for system identification in network environments, correlating with Active Directory - logs, network traffic analysis, and establishing system role in enterprise infrastructure. - Computer naming patterns may reveal organizational structure, system purpose, geographic - location, or administrative conventions. Critical for linking registry artifacts to specific - systems in multi-computer investigations and network forensic analysis. + Essential for system identification in network environments, correlating with Active Directory + logs, and network traffic analysis. Computer naming patterns may reveal organizational structure, + system purpose, geographic location, or administrative conventions. Critical for linking registry + artifacts to specific systems in multi-computer investigations. structure: | - ComputerName registry key contains current and active computer names, domain membership - information, and pending name changes. Tcpip Parameters include DNS hostname, domain - suffix, and network identification settings. Winlogon contains domain authentication - and default domain information stored as REG_SZ values with Unicode string formatting. + ComputerName registry key contains current and active computer names, domain membership + information, and pending name changes. Tcpip Parameters include DNS hostname, domain suffix, + and network identification settings. Winlogon contains domain authentication information. examples: - "ComputerName: DESKTOP-ABC123 (Default Windows 10 naming pattern)" @@ -51,6 +47,28 @@ details: - name: "Computer Management Console" description: "Windows administrative tool for system identification and management" +limitations: + - "Computer name configuration does NOT prove network communication occurred" + - "Domain membership settings don't indicate actual network access or authentication" + - "Hostname configuration doesn't prove system was actively used on the network" + - "DNS settings don't indicate actual DNS queries or network traffic" + - "Network identification may be configured but network interfaces could be disabled" + - "Domain authentication settings don't prove successful domain logons occurred" + +correlation: + required_for_definitive_network_activity_proof: + - "Network traffic logs showing actual communication using the configured hostname" + - "Event logs showing domain authentication and network access events" + - "DNS query logs showing hostname resolution and network activity" + - "Active Directory logs showing computer account authentication" + - "File server logs showing network file access from the identified computer" + + strengthens_evidence: + - "Network interface configuration showing active network connections" + - "Event logs showing successful domain logons using computer credentials" + - "Registry changes showing network configuration during investigation periods" + - "File system artifacts showing network resource access" + metadata: windows_versions: - "Windows NT" @@ -71,7 +89,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "low" investigation_types: @@ -114,5 +131,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/device_install_policies.yml b/artifacts/system-modifications/device_install_policies.yml similarity index 69% rename from artifacts/system/device_install_policies.yml rename to artifacts/system-modifications/device_install_policies.yml index 903086c..bba690c 100644 --- a/artifacts/system/device_install_policies.yml +++ b/artifacts/system-modifications/device_install_policies.yml @@ -1,5 +1,5 @@ title: "Device Installation Policies and Hardware Restrictions" -category: "system" +category: "system-modifications" description: "Group Policy device installation controls, hardware restriction policies, and USB/removable media security settings" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Device Installation Policies provide enterprise-level control over hardware device installation, - removable storage access, and peripheral connectivity through Group Policy enforcement. - Manages device class restrictions, vendor/product ID filtering, installation privileges, - removable media access controls, and hardware security policies for comprehensive endpoint - device management and data loss prevention. + Device Installation Policies provide enterprise-level control over hardware device installation, + removable storage access, and peripheral connectivity through Group Policy enforcement. Manages + device class restrictions, vendor/product ID filtering, and removable media access controls + for comprehensive endpoint device management. forensic_value: | - Critical for investigating data exfiltration attempts through unauthorized devices, policy - bypass techniques, and insider threat activities involving removable storage. Shows if - device restrictions were disabled to enable unauthorized hardware usage, reveals attempts - to circumvent security policies, and indicates administrative changes that facilitate - data theft. Essential for understanding device access capabilities during security incidents. + Critical for investigating data exfiltration attempts through unauthorized devices, policy + bypass techniques, and insider threat activities involving removable storage. Shows if device + restrictions were disabled to enable unauthorized hardware usage and reveals attempts to + circumvent security policies. structure: | - Device installation restrictions include AllowDeviceClasses (permitted device types), - DenyDeviceClasses (blocked device categories), AllowDeviceIDs (specific device permissions), - DenyDeviceIDs (blocked device identifiers), and RemovableStorageDevices policies controlling - USB drives, optical media, and external storage access with granular read/write permissions. + Device installation restrictions include AllowDeviceClasses (permitted device types), + DenyDeviceClasses (blocked device categories), AllowDeviceIDs (specific device permissions), + DenyDeviceIDs (blocked device identifiers), and RemovableStorageDevices policies controlling + USB drives and external storage access. examples: - "DenyDeviceClasses\\\\{f2f1b1b1-b1b1-b1b1-b1b1-b1b1b1b1b1b1}: Block USB Mass Storage" @@ -52,6 +50,28 @@ details: - name: "Device Installation Policy Analyzer" description: "Third-party tools for analyzing device restriction configurations" +limitations: + - "Device installation policies do NOT prove unauthorized device usage occurred" + - "Restriction configurations don't indicate actual device installation attempts" + - "Policy modifications may be legitimate administrative security adjustments" + - "Device access controls don't prove data exfiltration or unauthorized transfer" + - "USB restrictions may be bypassed through other connection methods" + - "Policy enforcement depends on active Group Policy application" + +correlation: + required_for_definitive_violation_proof: + - "Event logs showing device installation attempts and policy enforcement results" + - "USB device connection logs showing actual hardware usage despite restrictions" + - "File system artifacts showing data transfer to/from restricted devices" + - "Registry changes showing policy modifications during suspicious periods" + - "Application logs showing device access attempts and policy violations" + + strengthens_evidence: + - "Device manager logs showing installation attempts and blocking events" + - "Group Policy event logs showing policy application and enforcement" + - "Registry changes in device enumeration during policy modification periods" + - "File modifications indicating device driver installation attempts" + metadata: windows_versions: - "Windows Vista" @@ -67,7 +87,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "high" investigation_types: @@ -119,5 +138,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/error_reporting.yml b/artifacts/system-modifications/error_reporting.yml similarity index 62% rename from artifacts/system/error_reporting.yml rename to artifacts/system-modifications/error_reporting.yml index 26f5464..2afaba8 100644 --- a/artifacts/system/error_reporting.yml +++ b/artifacts/system-modifications/error_reporting.yml @@ -1,5 +1,5 @@ title: "Windows Error Reporting Configuration" -category: "system" +category: "system-modifications" description: "Error reporting settings, crash dump configuration, debugging options, and failure analysis" paths: @@ -10,24 +10,20 @@ paths: details: what: | - Windows Error Reporting (WER) service collects and manages crash data, system errors, - application failures, and debugging information for analysis and troubleshooting. Configuration - includes crash dump settings, report destinations, disabled applications, automatic restart - behavior, and debugging options. Manages integration with Microsoft crash analysis services - and local crash dump storage for comprehensive failure analysis and system stability monitoring. + Windows Error Reporting (WER) service collects and manages crash data, system errors, application + failures, and debugging information for analysis and troubleshooting. Configuration includes + crash dump settings, report destinations, disabled applications, automatic restart behavior, + and debugging options. forensic_value: | - Critical for forensic investigations as attackers often disable error reporting to hide - evidence of crashes caused by malicious software exploitation attempts. Shows if crash - dumps were disabled to prevent memory analysis, reveals crash dump locations containing - potential forensic evidence, and indicates system stability issues that may result from - malware activity. Essential for identifying exploitation attempts and recovering crash artifacts. + Critical for forensic investigations as attackers often disable error reporting to hide evidence + of crashes caused by malicious software exploitation attempts. Shows if crash dumps were disabled + to prevent memory analysis and reveals crash dump locations containing potential forensic evidence. structure: | - WER configuration includes Disabled (global enable/disable), LocalDumps registry containing - application-specific dump settings, CrashDumpEnabled controlling kernel dump creation, - and DumpFolder specifying crash dump storage locations. Policy settings override user - configurations with enterprise-level crash reporting controls and privacy settings. + WER configuration includes Disabled (global enable/disable), LocalDumps registry containing + application-specific dump settings, CrashDumpEnabled controlling kernel dump creation, and + DumpFolder specifying crash dump storage locations. Policy settings override user configurations. examples: - "Disabled: 1 (Windows Error Reporting completely disabled)" @@ -54,6 +50,28 @@ details: url: "https://www.nirsoft.net/utils/blue_screen_view.html" description: "Blue screen crash dump analyzer and viewer" +limitations: + - "Error reporting configuration does NOT prove system crashes or exploitation occurred" + - "Disabled error reporting doesn't indicate malicious activity caused the changes" + - "Crash dump settings don't prove crash dumps were actually created" + - "Configuration changes may be legitimate administrative system optimization" + - "Memory dump settings don't indicate forensic evidence exists in dump files" + - "Debugging configuration may be for legitimate development or troubleshooting purposes" + +correlation: + required_for_definitive_crash_evidence: + - "Actual crash dump files created during system or application failures" + - "Event logs showing crash events and error reporting service activity" + - "File system artifacts showing crash dump creation and modification times" + - "Memory analysis of crash dumps revealing exploitation or malicious activity" + - "Application logs showing errors and failures during suspicious periods" + + strengthens_evidence: + - "Registry changes showing error reporting modifications during attack timeframes" + - "Event logs showing system instability correlating with malicious activity" + - "File modifications in crash dump directories during investigation periods" + - "Process execution logs showing applications crashing during exploitation attempts" + metadata: windows_versions: - "Windows XP" @@ -71,12 +89,12 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: - "incident-response" - "malware-analysis" + - "anti-forensics" tags: - "error-reporting" @@ -116,5 +134,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/file_associations.yml b/artifacts/system-modifications/file_type_associations.yml similarity index 67% rename from artifacts/system/file_associations.yml rename to artifacts/system-modifications/file_type_associations.yml index fb4a29a..f491784 100644 --- a/artifacts/system/file_associations.yml +++ b/artifacts/system-modifications/file_type_associations.yml @@ -1,5 +1,5 @@ title: "File Type Associations and Default Programs" -category: "system" +category: "system-modifications" description: "File extension mappings to applications, default program settings, and shell action configurations" paths: @@ -11,23 +11,22 @@ paths: details: what: | - Windows maintains comprehensive file type associations that determine which applications handle - specific file extensions, define shell actions (Open, Edit, Print), specify icon locations, - set command line parameters for execution, and control file handling behavior. Includes both - system-wide associations and user-specific overrides for customized file handling preferences. + Windows maintains comprehensive file type associations that determine which applications handle + specific file extensions, define shell actions (Open, Edit, Print), specify icon locations, + and set command line parameters for execution. Includes both system-wide associations and + user-specific overrides. forensic_value: | - Critical for understanding file execution methods and potential malware persistence mechanisms. - Shows how files are launched, can reveal hijacked file associations used by malware for persistence, - indicates unauthorized changes to default programs, and provides evidence of attempts to disguise - malicious files through association manipulation. Essential for analyzing execution paths and - identifying security compromises through file handling modifications. + Critical for understanding file execution methods and potential malware persistence mechanisms. + Shows how files are launched, can reveal hijacked file associations used by malware for persistence, + and indicates unauthorized changes to default programs. Essential for analyzing execution paths + and identifying security compromises. structure: | - File extensions stored as registry keys (.exe, .txt, .pdf) pointing to ProgID class identifiers. - ProgID classes contain shell command definitions, icon paths, application details, and supported - actions. Default values specify handling applications, with shell\\open\\command containing - execution strings with command line parameters and file placeholders (%1, %* for arguments). + File extensions stored as registry keys (.exe, .txt, .pdf) pointing to ProgID class identifiers. + ProgID classes contain shell command definitions, icon paths, application details, and supported + actions. Default values specify handling applications, with shell\\open\\command containing + execution strings. examples: - ".exe\\(Default): exefile (Executable file type identifier)" @@ -38,7 +37,7 @@ details: - "Hijacked Association: .txt\\shell\\open\\command: C:\\malware\\backdoor.exe %1" - ".lnk\\(Default): lnkfile (Shortcut file handler)" - "Unknown\\shell\\open\\command: %SystemRoot%\\system32\\rundll32.exe" - + tools: - name: "FileTypesMan" url: "https://www.nirsoft.net/utils/file_types_manager.html" @@ -57,6 +56,28 @@ details: url: "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns" description: "Shows file association abuse for persistence" +limitations: + - "File association configuration does NOT prove malicious file execution occurred" + - "Hijacked associations don't indicate successful exploitation or persistence" + - "Association modifications may be legitimate software installation changes" + - "Default program settings don't prove files were actually opened" + - "Shell command modifications may be for legitimate application upgrades" + - "ProgID changes don't indicate malicious activity was successful" + +correlation: + required_for_definitive_hijacking_proof: + - "Process execution logs showing malicious applications launched via hijacked associations" + - "File system artifacts showing malicious files executed through association abuse" + - "Event logs showing successful execution of hijacked file handlers" + - "Registry changes showing association modifications during attack timeframes" + - "Application logs showing unexpected programs handling specific file types" + + strengthens_evidence: + - "File modifications showing malicious applications installed during association changes" + - "Event logs showing file operations triggering hijacked associations" + - "Registry changes in related startup locations during file association modifications" + - "Process execution showing persistence achieved through association abuse" + metadata: windows_versions: - "Windows 95" @@ -76,7 +97,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 95" - criticality: "high" investigation_types: @@ -124,5 +144,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/hardware_devices.yml b/artifacts/system-modifications/hardware_devices.yml similarity index 68% rename from artifacts/system/hardware_devices.yml rename to artifacts/system-modifications/hardware_devices.yml index c484685..ce3b969 100644 --- a/artifacts/system/hardware_devices.yml +++ b/artifacts/system-modifications/hardware_devices.yml @@ -1,5 +1,5 @@ title: "Hardware Devices and Driver Information" -category: "system" +category: "system-modifications" description: "Complete hardware device enumeration, driver information, and device configuration data" paths: @@ -10,23 +10,21 @@ paths: details: what: | - Windows maintains comprehensive hardware device information including complete device enumeration - data, installed device drivers, hardware capabilities, device properties, configuration settings, - and system hardware inventory. Tracks all system components including CPUs, storage devices, - network adapters, USB devices, audio equipment, and specialized hardware for complete system profiling. + Windows maintains comprehensive hardware device information including complete device enumeration + data, installed device drivers, hardware capabilities, device properties, configuration settings, + and system hardware inventory. Tracks all system components including CPUs, storage devices, + network adapters, USB devices, and audio equipment. forensic_value: | - Provides essential hardware inventory for system identification, baseline establishment, and - investigation correlation. Shows connected external devices that may have been used for data - transfer or evidence destruction, reveals specialized hardware that could indicate system purpose - or user activities, and identifies hardware changes that might indicate tampering or unauthorized - modifications. Critical for USB device tracking, network adapter analysis, and system capability assessment. + Provides essential hardware inventory for system identification, baseline establishment, and + investigation correlation. Shows connected external devices that may have been used for data + transfer or evidence destruction, reveals specialized hardware that could indicate system purpose, + and identifies hardware changes that might indicate tampering. structure: | - Device enumeration organized hierarchically by bus type (PCI, USB, IDE, ACPI, etc.) with unique - device instance identifiers. Each device contains DeviceDesc (description), HardwareID (vendor/product), - Service (driver), LocationInformation (physical location), Capabilities (device features), and - ConfigFlags (configuration status). Class GUIDs organize devices by functionality with driver information. + Device enumeration organized hierarchically by bus type (PCI, USB, IDE, ACPI, etc.) with unique + device instance identifiers. Each device contains DeviceDesc (description), HardwareID (vendor/product), + Service (driver), LocationInformation (physical location), and Capabilities (device features). examples: - "ENUM\\PCI\\VEN_8086&DEV_1234&SUBSYS_56781234&REV_01: Intel Network Adapter" @@ -57,6 +55,28 @@ details: url: "https://www.uwe-sieber.de/usbtreeview_e.html" description: "Detailed USB device hierarchy and information viewer" +limitations: + - "Hardware enumeration does NOT prove devices were actively used" + - "Device presence doesn't indicate data transfer or malicious activity occurred" + - "Driver installation doesn't prove device functionality or operation" + - "Hardware configuration may be from legitimate system setup or maintenance" + - "Device capabilities don't indicate actual usage patterns or activities" + - "Connection records don't prove unauthorized access or data exfiltration" + +correlation: + required_for_definitive_usage_proof: + - "Event logs showing device driver loading and hardware operation events" + - "File system artifacts showing device-specific software or data access" + - "Process execution logs showing applications interacting with specific hardware" + - "Registry changes showing device configuration during usage periods" + - "Network logs if devices were used for network communication" + + strengthens_evidence: + - "USB device connection logs correlating with hardware enumeration data" + - "Driver installation logs showing hardware setup during investigation periods" + - "File modifications showing device-specific software installation or usage" + - "Registry changes in related hardware configuration areas" + metadata: windows_versions: - "Windows NT" @@ -77,12 +97,12 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "medium" investigation_types: - "incident-response" - "data-exfiltration" + - "behavioral-analysis" tags: - "hardware" @@ -123,5 +143,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/installed_programs.yml b/artifacts/system-modifications/installed_programs.yml similarity index 65% rename from artifacts/system/installed_programs.yml rename to artifacts/system-modifications/installed_programs.yml index 7e94d0a..7a8701c 100644 --- a/artifacts/system/installed_programs.yml +++ b/artifacts/system-modifications/installed_programs.yml @@ -1,5 +1,5 @@ title: "Installed Programs and Software Inventory" -category: "system" +category: "system-modifications" description: "Comprehensive software inventory with installation dates, versions, publishers, and uninstall information" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows maintains a comprehensive registry-based database of all installed programs - including application names, versions, publishers, install dates, uninstall strings, - installation paths, size information, and Windows Installer (MSI) package data. - Includes both system-wide and per-user installations with detailed metadata for - software management, updates, and removal operations. + Windows maintains a comprehensive registry-based database of all installed programs including + application names, versions, publishers, install dates, uninstall strings, installation paths, + size information, and Windows Installer (MSI) package data. Includes both system-wide and + per-user installations with detailed metadata. forensic_value: | - Provides complete software inventory for baseline comparison, identifies malicious - or unauthorized software installations, shows installation timeline for correlation - with security incidents, reveals software versions for vulnerability assessment, - and indicates potential attack tools or suspicious applications. Critical for - incident response, compliance auditing, and security assessment. + Provides complete software inventory for baseline comparison, identifies malicious or unauthorized + software installations, shows installation timeline for correlation with security incidents, + reveals software versions for vulnerability assessment, and indicates potential attack tools + or suspicious applications. structure: | - Each installed program has a subkey (usually GUID or product name) containing - REG_SZ values for DisplayName, DisplayVersion, Publisher, InstallDate (YYYYMMDD), - UninstallString, InstallLocation, EstimatedSize, and additional metadata. - MSI installations include additional transform and feature information. + Each installed program has a subkey (usually GUID or product name) containing REG_SZ values + for DisplayName, DisplayVersion, Publisher, InstallDate (YYYYMMDD), UninstallString, InstallLocation, + EstimatedSize, and additional metadata. MSI installations include additional transform and + feature information. examples: - "DisplayName: Adobe Acrobat Reader DC" @@ -56,6 +54,28 @@ details: - name: "Get-WmiObject Win32_Product" description: "PowerShell cmdlet for comprehensive software enumeration" +limitations: + - "Software installation records do NOT prove applications were executed or used" + - "Installation dates don't indicate actual software usage or activity periods" + - "Uninstall information doesn't prove software was completely removed" + - "Software presence may be from legitimate business or personal use" + - "Version information doesn't indicate if vulnerabilities were exploited" + - "Publisher data can be spoofed or modified by malicious software" + +correlation: + required_for_definitive_usage_proof: + - "Process execution logs showing installed applications actually running" + - "File system artifacts showing application usage and data creation" + - "Registry changes showing application configuration during usage" + - "Event logs showing application startup and operation events" + - "Network logs showing application communication if network-enabled" + + strengthens_evidence: + - "AmCache or ShimCache entries showing application execution" + - "UserAssist entries showing user interaction with installed applications" + - "Recent documents created by installed applications" + - "File modifications in application directories during usage periods" + metadata: windows_versions: - "Windows 95" @@ -77,8 +97,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows 95 (Add/Remove Programs)" - + introduced: "Windows 95" criticality: "medium" investigation_types: @@ -89,7 +108,6 @@ metadata: - "insider-threat" tags: - - "system" - "software-inventory" - "installation" - "baseline" @@ -132,5 +150,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/mobile/itunes.yml b/artifacts/system-modifications/itunes.yml similarity index 54% rename from artifacts/mobile/itunes.yml rename to artifacts/system-modifications/itunes.yml index c4eb23d..071cfbf 100644 --- a/artifacts/mobile/itunes.yml +++ b/artifacts/system-modifications/itunes.yml @@ -1,6 +1,6 @@ title: "iTunes for Windows Mobile Device Sync" -category: "mobile" -description: "iTunes configuration, device synchronization, backup locations, and Apple device management" +category: "system-modifications" +description: "iTunes configuration, device synchronization settings, and Apple device management" paths: - "HKCU\\Software\\Apple Computer, Inc.\\iTunes" @@ -10,24 +10,19 @@ paths: details: what: | - iTunes for Windows manages Apple device synchronization including iPhone, iPad, - and iPod connections, backup locations, media library sync, and device management. - Registry stores device identifiers, backup paths, sync preferences, and media - library configurations for comprehensive Apple ecosystem integration and - cross-platform data synchronization between Windows and Apple devices. + iTunes for Windows manages Apple device synchronization including iPhone, iPad, and iPod connections, + backup locations, media library sync, and device management. Registry stores device identifiers, + backup paths, and sync preferences for Apple ecosystem integration. forensic_value: | - Critical for investigating mobile device connections, data synchronization - between Windows and Apple devices, backup locations containing mobile device - data, and evidence of Apple device usage patterns. Shows evidence of mobile - device ownership, sync activity, backup creation, and can reveal access to - mobile device data through iTunes backups and synchronization. + Shows evidence of mobile device connections, data synchronization between Windows and Apple devices, + and backup locations containing mobile device data. Can reveal access to mobile device data through + iTunes backups and synchronization activities. structure: | - iTunes configuration includes device registration data, backup storage paths, - sync preferences, media library locations, and Apple ID authentication. - Mobile Device Support entries track connected devices, device capabilities, - and synchronization history for comprehensive Apple device interaction analysis. + iTunes configuration includes device registration data, backup storage paths, sync preferences, + media library locations, and Apple ID authentication. Mobile Device Support entries track connected + devices and synchronization history. examples: - "StoreAccountName: user@icloud.com (Associated Apple ID)" @@ -49,6 +44,28 @@ details: - name: "Apple Mobile Device Support Tools" description: "Apple's device management and synchronization utilities" +limitations: + - "iTunes configuration does NOT prove device synchronization actually occurred" + - "Backup path settings don't indicate successful backup completion" + - "Device registration may be from failed connection attempts" + - "Sync preferences show configuration, not actual data transfer activity" + - "Apple ID association doesn't prove device ownership or authorized access" + - "Media library settings don't indicate what content was synchronized" + +correlation: + required_for_definitive_sync_proof: + - "File system artifacts showing actual iTunes backup files created" + - "Application logs showing successful synchronization operations" + - "Network traffic logs showing data transfer to/from Apple devices" + - "File modification times on backup directories during device connection" + - "Event logs showing successful device authentication and access" + + strengthens_evidence: + - "USB device connection logs correlating to iTunes sync times" + - "Media files with metadata indicating Apple device origin" + - "Network connections to Apple services during sync periods" + - "Registry changes in device tracking keys during connection times" + metadata: windows_versions: - "Windows XP" @@ -60,13 +77,13 @@ metadata: - "Windows 11" introduced: "iTunes for Windows" - criticality: "low" investigation_types: - "behavioral-analysis" - "timeline-analysis" - "incident-response" + - "data-exfiltration" tags: - "itunes" @@ -88,7 +105,7 @@ metadata: volatility: "Device connection history provides mobile device usage patterns" related_artifacts: - - "mobile_device_sync" + - "device_sync" - "apple_ecosystem" - "device_backups" @@ -99,5 +116,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/location_services.yml b/artifacts/system-modifications/location_services.yml similarity index 60% rename from artifacts/system/location_services.yml rename to artifacts/system-modifications/location_services.yml index a5dec34..f69070a 100644 --- a/artifacts/system/location_services.yml +++ b/artifacts/system-modifications/location_services.yml @@ -1,5 +1,5 @@ title: "Location Services and Geolocation Tracking" -category: "system" +category: "system-modifications" description: "GPS location services, geolocation tracking, location history, privacy settings, and device positioning data" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows location services encompass GPS positioning, Wi-Fi location tracking, cellular - triangulation, geofencing capabilities, location history storage, and privacy controls - for location-aware applications. Manages system-wide location permissions, app-specific - location access, location data retention policies, and geolocation service configuration - for enhanced user experience and privacy protection. + Windows location services encompass GPS positioning, Wi-Fi location tracking, cellular triangulation, + geofencing capabilities, location history storage, and privacy controls for location-aware applications. + Manages system-wide location permissions, app-specific location access, and location data retention + policies for enhanced user experience and privacy protection. forensic_value: | - Critical for investigating location-based evidence, tracking device movement patterns, - establishing suspect presence at specific locations, and analyzing location-aware malware. - Shows geolocation access by applications, reveals location tracking that could establish - alibis or criminal activity, and provides evidence of device presence during incident - timeframes. Essential for timeline reconstruction and geographic correlation analysis. + Critical for investigating location-based evidence, tracking device movement patterns, establishing + suspect presence at specific locations, and analyzing location-aware malware. Shows geolocation + access by applications, reveals location tracking that could establish alibis or criminal activity, + and provides evidence of device presence during incident timeframes. structure: | - Location consent store contains application permissions for location access organized - by package family names. Device access controls global location services enablement, - sensor overrides manage GPS and positioning hardware, and privacy settings control - location data collection, retention, and sharing policies across applications and services. + Location consent store contains application permissions for location access organized by package + family names. Device access controls global location services enablement, sensor overrides manage + GPS and positioning hardware, and privacy settings control location data collection, retention, + and sharing policies across applications and services. examples: - "ConsentStore\\location\\Value: Allow (Global location services enabled)" @@ -52,6 +50,28 @@ details: - name: "GPS Data Recovery Tools" description: "Specialized utilities for recovering and analyzing location information" +limitations: + - "Location service configuration does NOT prove actual location tracking occurred" + - "Permission grants don't indicate GPS data was collected or transmitted" + - "Location settings don't prove device was present at specific geographic locations" + - "Application location access doesn't indicate successful geolocation operations" + - "Privacy settings may be configured but location hardware could be disabled" + - "Location history enablement doesn't prove historical location data exists" + +correlation: + required_for_definitive_location_proof: + - "Actual location data files showing GPS coordinates and timestamps" + - "Application logs showing successful location queries and responses" + - "Network logs showing location service communication and data transmission" + - "File system artifacts showing location-tagged photos or documents" + - "Event logs showing location service activation and GPS hardware usage" + + strengthens_evidence: + - "Wi-Fi network logs showing location-based network connections" + - "Registry changes showing location configuration during investigation periods" + - "File modifications in location data directories during permission usage" + - "Network traffic showing location service communication patterns" + metadata: windows_versions: - "Windows 8" @@ -60,8 +80,7 @@ metadata: - "Windows 11" introduced: "Windows 8" - - criticality: "high" + criticality: "medium" investigation_types: - "timeline-analysis" @@ -107,5 +126,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/mobile/device_sync.yml b/artifacts/system-modifications/mobile_device_sync.yml similarity index 60% rename from artifacts/mobile/device_sync.yml rename to artifacts/system-modifications/mobile_device_sync.yml index 4158a24..b9d31b3 100644 --- a/artifacts/mobile/device_sync.yml +++ b/artifacts/system-modifications/mobile_device_sync.yml @@ -1,6 +1,6 @@ title: "Mobile Device Synchronization and Integration" -category: "mobile" -description: "Mobile device pairing, synchronization settings, Your Phone app configuration, and cross-device integration" +category: "system-modifications" +description: "Mobile device pairing, Your Phone app configuration, and cross-device integration settings" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CDP" @@ -10,24 +10,19 @@ paths: details: what: | - Windows mobile device integration encompasses Cross-Device Platform (CDP) configuration, - device synchronization settings, Your Phone app connections, Bluetooth device pairing, - notification mirroring, and cross-platform continuity features. Manages smartphone - integration, tablet connectivity, and multi-device user experience through Windows - ecosystem integration and third-party mobile device management. + Windows mobile device integration includes Cross-Device Platform (CDP) configuration, device + synchronization settings, Your Phone app connections, Bluetooth pairing, notification mirroring, + and cross-platform continuity features for smartphone and tablet integration. forensic_value: | - Critical for investigating cross-device data synchronization, mobile device access to - corporate resources, and potential data exfiltration through mobile integration features. - Shows evidence of paired mobile devices, synchronization activities, notification sharing, - and cross-platform file access. Essential for understanding mobile attack vectors, - BYOD policy violations, and multi-device security incidents. + Shows evidence of paired mobile devices, synchronization activities, and cross-platform file access. + Useful for investigating mobile attack vectors, BYOD policy violations, and multi-device security + incidents. Can reveal data synchronization between corporate systems and personal devices. structure: | - CDP configuration includes device discovery settings, paired device information, sync - preferences, and cross-device communication protocols. DeviceAccess controls mobile - device permissions, notification access, and feature sharing. WINEVT channels track - device synchronization events and connection history with mobile devices. + CDP configuration includes device discovery settings, paired device information, and sync preferences. + DeviceAccess controls mobile device permissions and notification access. WINEVT channels track + device synchronization events and connection history. examples: - "CDP\\UserActivities\\EnableCdpUserService: 1 (Cross-device platform enabled)" @@ -51,6 +46,28 @@ details: - name: "Mobile Device Management Tools" description: "Enterprise MDM solutions for mobile device policy and monitoring" +limitations: + - "Pairing configuration does NOT prove active data synchronization occurred" + - "Device permissions don't indicate what data was actually accessed" + - "Cross-device settings show capability, not actual usage or file transfers" + - "Notification mirroring enablement doesn't prove sensitive data was shared" + - "Your Phone app connection doesn't indicate what content was synchronized" + - "Bluetooth pairing may be for legitimate productivity purposes" + +correlation: + required_for_definitive_sync_proof: + - "File system artifacts showing actual synchronized files or photos" + - "Network traffic logs showing data transfer between devices" + - "Application logs from Your Phone app showing successful sync operations" + - "Bluetooth connection logs with data transfer indicators" + - "Event logs showing successful device authentication and data access" + + strengthens_evidence: + - "Recent documents created or modified during device connection periods" + - "Clipboard history showing cross-device copy/paste operations" + - "Photo/video files with metadata indicating mobile device origin" + - "Network connections to cloud services during sync periods" + metadata: windows_versions: - "Windows 10" @@ -59,8 +76,7 @@ metadata: - "Windows Server 2019" - "Windows Server 2022" - introduced: "Windows 10 (Cross-Device Platform)" - + introduced: "Windows 10" criticality: "medium" investigation_types: @@ -108,5 +124,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/cloud/onedrive_sync.yml b/artifacts/system-modifications/onedrive_sync.yml similarity index 56% rename from artifacts/cloud/onedrive_sync.yml rename to artifacts/system-modifications/onedrive_sync.yml index 85255a9..6f2a1e6 100644 --- a/artifacts/cloud/onedrive_sync.yml +++ b/artifacts/system-modifications/onedrive_sync.yml @@ -1,5 +1,5 @@ title: "OneDrive Cloud Storage Integration" -category: "cloud" +category: "system-modifications" description: "OneDrive sync settings, account configuration, file synchronization status, and cloud storage integration" paths: @@ -10,26 +10,22 @@ paths: details: what: | - OneDrive cloud storage integration configuration includes sync folder locations, account details, - synchronization preferences, bandwidth throttling settings, file collaboration configurations, - and cloud storage management policies. Controls automatic file synchronization, selective sync - settings, version history, sharing permissions, and integration with Windows Explorer for - seamless cloud storage access and file management across multiple devices. + OneDrive cloud storage integration configuration includes sync folder locations, + account details, synchronization preferences, bandwidth settings, and file + collaboration configurations. Controls automatic file synchronization and + integration with Windows Explorer. forensic_value: | - Critical for investigating cloud-based data exfiltration, unauthorized file sharing, and - corporate data leakage through cloud storage services. Shows evidence of files uploaded - to cloud storage, account configurations that may indicate unauthorized access, sync - patterns that could reveal data theft timelines, and sharing activities that might - expose sensitive information. Essential for understanding cloud storage usage in insider - threat and data breach investigations. + Critical for investigating cloud-based data exfiltration and unauthorized file sharing. + Shows evidence of files uploaded to cloud storage, account configurations, + sync patterns that could reveal data theft timelines, and sharing activities + that might expose sensitive information. structure: | - OneDrive configuration includes UserFolder (local sync directory), Accounts subkey with - cloud account details, Business/Personal account separation, sync status information, - and SyncRootManager entries for cloud storage integration. Settings control file - synchronization behavior, bandwidth usage, sharing permissions, and cloud service - authentication with various registry data types. + OneDrive configuration includes UserFolder (local sync directory), Accounts subkey + with cloud account details, Business/Personal account separation, and SyncRootManager + entries for cloud storage integration. Settings control synchronization behavior + and sharing permissions. examples: - "UserFolder: C:\\Users\\user\\OneDrive (Default OneDrive sync location)" @@ -42,16 +38,30 @@ details: tools: - name: "OneDrive Settings" - description: "Built-in OneDrive configuration and account management interface" + description: "Built-in OneDrive configuration and account management" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "OneDrive Sync Status" - description: "Built-in Windows sync status and troubleshooting tools" - - name: "Cloud Storage Analyzer" - description: "Third-party tools for analyzing cloud storage configurations" + description: "Advanced registry analysis tool" - name: "Group Policy Editor" - description: "Enterprise OneDrive policy management and configuration" + description: "Enterprise OneDrive policy management" + +limitations: + - "Registry shows configuration only, not actual files synced or shared" + - "Account presence doesn't prove active data synchronization occurred" + - "Sync settings may be overridden by Group Policy or user actions" + - "Personal/business account separation may not reflect actual usage patterns" + +correlation: + required_for_definitive_conclusions: + - "OneDrive sync logs and metadata files" + - "File system artifacts showing actual synced files" + - "Network traffic logs showing cloud uploads/downloads" + - "OneDrive web activity logs from Microsoft" + + strengthens_evidence: + - "Timeline analysis of sync folder file modifications" + - "User activity showing OneDrive application usage" + - "Email or sharing notifications related to OneDrive activity" metadata: windows_versions: @@ -64,7 +74,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 8.1" - criticality: "high" investigation_types: @@ -74,14 +83,11 @@ metadata: - "incident-response" tags: - - "cloud" - "onedrive" - - "data-synchronization" - "cloud-storage" + - "data-synchronization" - "file-sharing" - - "data-exfiltration" - "collaboration" - - "remote-access" references: - title: "Microsoft Documentation: OneDrive" @@ -90,18 +96,14 @@ metadata: - title: "OneDrive Security and Compliance" url: "https://docs.microsoft.com/en-us/onedrive/security/" type: "official" - - title: "Cloud Storage Security Analysis" - url: "https://www.sans.org/white-papers/39847/" - type: "research" retention: default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" persistence: "OneDrive settings persist until account removal or policy changes" - volatility: "Sync status and file operations provide real-time cloud activity evidence" + volatility: "Sync status provides real-time cloud activity evidence" related_artifacts: - "user_profiles" - - "network_interfaces" - "recent_docs" - "file_associations" @@ -113,4 +115,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" + version: "3.0" diff --git a/artifacts/system/power_management.yml b/artifacts/system-modifications/power_management.yml similarity index 66% rename from artifacts/system/power_management.yml rename to artifacts/system-modifications/power_management.yml index 7a07bf1..e9503b7 100644 --- a/artifacts/system/power_management.yml +++ b/artifacts/system-modifications/power_management.yml @@ -1,6 +1,6 @@ title: "Power Management Configuration and Sleep Settings" -category: "system" -description: "Power schemes, sleep timers, hibernation settings, wake events, and power policy configuration for forensic timeline analysis" +category: "system-modifications" +description: "Power schemes, sleep timers, hibernation settings, wake events, and power policy configuration" paths: - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power" @@ -10,23 +10,22 @@ paths: details: what: | - Windows power management encompasses power schemes, sleep/hibernate timers, wake event - configuration, fast startup settings, power button behavior, and energy-saving policies. - Controls system sleep behavior, automatic wake events, power state transitions, and - power management policies that affect system availability and forensic artifact preservation. + Windows power management encompasses power schemes, sleep/hibernate timers, wake event + configuration, fast startup settings, power button behavior, and energy-saving policies. + Controls system sleep behavior, automatic wake events, power state transitions, and + power management policies that affect system availability. forensic_value: | - Critical for understanding system availability during incident timeframes, detecting - anti-forensic techniques that use sleep/hibernate to hide activity, and analyzing power - events that affect timeline reconstruction. Power settings reveal attempts to prevent - system sleep during malicious activities, or conversely, using power management to - evade detection by forcing system hibernation after unauthorized access. + Critical for understanding system availability during incident timeframes, detecting + anti-forensic techniques that use sleep/hibernate to hide activity, and analyzing power + events that affect timeline reconstruction. Power settings reveal attempts to prevent + system sleep during malicious activities or using power management to evade detection. structure: | - Power configuration includes power scheme GUIDs, sleep timeout values, hibernation - enablement, fast startup settings, wake timer permissions, and power button actions. - Advanced settings control display timeout, hard disk sleep, processor power management, - and system wake events that can interrupt sleep states for various system activities. + Power configuration includes power scheme GUIDs, sleep timeout values, hibernation + enablement, fast startup settings, wake timer permissions, and power button actions. + Advanced settings control display timeout, hard disk sleep, processor power management, + and system wake events. examples: - "ActivePowerScheme: {381b4222-f694-41f0-9685-ff5bb260df2e} (Balanced power plan)" @@ -37,7 +36,7 @@ details: - "DCSettingIndex: 900 (15 minutes until sleep on battery)" - "AllowWakeTimers: 1 (Wake timers permitted)" - "PowerButtonAction: 1 (Power button triggers sleep)" - + tools: - name: "Power Options (powercfg.cpl)" description: "Built-in Windows power management configuration interface" @@ -51,6 +50,28 @@ details: - name: "Event Viewer" description: "System event logs for power state changes and wake events" +limitations: + - "Power management configuration does NOT prove system sleep states actually occurred" + - "Sleep timer settings don't indicate when system was actually sleeping or awake" + - "Hibernation settings don't prove hibernation files contain specific evidence" + - "Wake event configuration doesn't indicate what caused system wake events" + - "Power scheme modifications may be for legitimate energy management" + - "Fast startup settings don't prove system boot/shutdown timing manipulation" + +correlation: + required_for_definitive_timeline_proof: + - "Event logs showing actual system sleep/wake events with timestamps" + - "File system artifacts showing file access patterns during configured sleep periods" + - "Process execution logs showing application activity during power state transitions" + - "Network logs showing connectivity during configured sleep/wake cycles" + - "Registry changes showing power configuration modifications during investigation periods" + + strengthens_evidence: + - "Hibernation files containing memory dumps from specific time periods" + - "Event logs showing wake events triggered by specific applications or network activity" + - "File modifications correlating with power state changes and wake events" + - "Registry changes in other system areas during power configuration modifications" + metadata: windows_versions: - "Windows XP" @@ -68,13 +89,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "medium" investigation_types: - "timeline-analysis" - "incident-response" - "behavioral-analysis" + - "anti-forensics" tags: - "power-management" @@ -115,5 +136,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-13" + version: "2.0" diff --git a/artifacts/system/software_restriction.yml b/artifacts/system-modifications/software_restriction.yml similarity index 62% rename from artifacts/system/software_restriction.yml rename to artifacts/system-modifications/software_restriction.yml index 68e7928..341bb90 100644 --- a/artifacts/system/software_restriction.yml +++ b/artifacts/system-modifications/software_restriction.yml @@ -1,5 +1,5 @@ title: "Software Restriction Policies" -category: "system" +category: "system-modifications" description: "Legacy application whitelisting, execution control policies, and software restriction configuration" paths: @@ -9,26 +9,22 @@ paths: details: what: | - Software Restriction Policies (SRP) provide legacy application control mechanisms that - preceded AppLocker in Windows environments. Controls software execution based on path rules, - hash rules, certificate rules, and network zone rules with configurable security levels. - Provides basic application whitelisting capabilities, execution restrictions, and software - control policies for older Windows systems and backward compatibility scenarios. + Software Restriction Policies (SRP) provide legacy application control mechanisms that + preceded AppLocker in Windows environments. Controls software execution based on path rules, + hash rules, certificate rules, and network zone rules with configurable security levels. + Provides basic application whitelisting capabilities and execution restrictions. forensic_value: | - Critical for detecting legacy security policy bypass attempts, identifying software - restrictions that may have been circumvented by attackers, and analyzing application - control failures that enabled malware execution. Shows evidence of policy modifications - designed to allow unauthorized software execution, reveals legitimate software lists - that indicate system purpose, and provides insight into security posture weaknesses - that attackers may have exploited. + Critical for detecting legacy security policy bypass attempts, identifying software restrictions + that may have been circumvented by attackers, and analyzing application control failures that + enabled malware execution. Shows evidence of policy modifications designed to allow unauthorized + software execution and reveals legitimate software lists. structure: | - CodeIdentifiers configuration includes DefaultLevel (default security restriction level), - ExecutableTypes (file extensions subject to restrictions), TransparentEnabled (policy - enforcement mode), and rule collections for specific paths, hashes, certificates, and - network zones. Security levels range from Disallowed (blocked) to Unrestricted (allowed) - with intermediate Basic User and Constrained levels for granular control. + CodeIdentifiers configuration includes DefaultLevel (default security restriction level), + ExecutableTypes (file extensions subject to restrictions), TransparentEnabled (policy enforcement + mode), and rule collections for specific paths, hashes, certificates, and network zones. + Security levels range from Disallowed (blocked) to Unrestricted (allowed). examples: - "DefaultLevel: 0x00040000 (Unrestricted - allow all software execution)" @@ -38,7 +34,7 @@ details: - "PolicyScope: 0 (Apply to all software)" - "PathRules\\0\\Description: Unrestricted access for Windows directory" - "HashRules\\0\\SaferFlags: 0 (Standard hash rule enforcement)" - + tools: - name: "Local Security Policy (secpol.msc)" description: "Built-in Windows software restriction policy management" @@ -52,6 +48,28 @@ details: - name: "Policy Management Tools" description: "Enterprise tools for centralized policy deployment and management" +limitations: + - "Software restriction policies do NOT prove policy bypass attempts occurred" + - "Policy configurations don't indicate actual software execution or blocking events" + - "Rule modifications may be legitimate administrative security adjustments" + - "Security level settings don't prove unauthorized applications were executed" + - "Policy enforcement may be bypassed through legitimate execution methods" + - "Policy presence doesn't indicate actual effectiveness or compliance" + +correlation: + required_for_definitive_bypass_proof: + - "Event logs showing software execution attempts and policy enforcement results" + - "Process execution logs showing unauthorized applications running despite restrictions" + - "File system artifacts showing restricted software executed in violation of policies" + - "Registry changes showing policy modifications during suspicious activity periods" + - "Application logs showing successful execution of restricted applications" + + strengthens_evidence: + - "Event logs showing software restriction policy rule triggering during execution attempts" + - "Policy change logs showing rule modifications correlating with attack timelines" + - "Process execution showing applications launched through policy bypass techniques" + - "File system access showing unauthorized application installation attempts" + metadata: windows_versions: - "Windows XP" @@ -70,13 +88,13 @@ metadata: introduced: "Windows XP" deprecated: "Replaced by AppLocker in Windows 7+" - criticality: "medium" investigation_types: - "timeline-analysis" - "lateral-movement" - "behavioral-analysis" + - "anti-forensics" tags: - "software-restriction" @@ -113,5 +131,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/timezone_settings.yml b/artifacts/system-modifications/timezone_settings.yml similarity index 54% rename from artifacts/system/timezone_settings.yml rename to artifacts/system-modifications/timezone_settings.yml index b1a24f0..bdac7a2 100644 --- a/artifacts/system/timezone_settings.yml +++ b/artifacts/system-modifications/timezone_settings.yml @@ -1,5 +1,5 @@ title: "Time Zone and Clock Configuration" -category: "system" +category: "system-modifications" description: "System time zone settings, NTP configuration, daylight saving time policies, and time synchronization" paths: @@ -10,51 +10,64 @@ paths: details: what: | - Windows time and date configuration encompasses time zone settings, Network Time Protocol (NTP) - server configuration, daylight saving time policies, automatic time synchronization settings, - and time service behavior. Controls system clock accuracy, timezone conversions, automatic - daylight saving adjustments, and network time synchronization for accurate timeline - reconstruction and system correlation across different geographic locations. + Windows time configuration controls time zone settings, Network Time Protocol (NTP) + server configuration, daylight saving time policies, and automatic time synchronization. + Manages system clock accuracy and timezone conversions for timeline reconstruction. forensic_value: | - Critical for forensic timeline analysis, correlation with other systems, and understanding - actual event timing. Time zone modifications may indicate attempts to obscure activity - timing, manipulate log timestamps, or hide temporal correlations. Essential for accurate - timeline reconstruction, cross-system correlation, and detecting time-based anti-forensic - techniques used to confuse investigators about actual event timing. + Critical for accurate timeline analysis and correlation across systems. Time zone + modifications may indicate attempts to obscure activity timing or manipulate log + timestamps. Essential for establishing event timing and detecting temporal anomalies. structure: | - TimeZoneInformation contains StandardName (timezone), DaylightName (DST name), Bias (UTC offset), - StandardBias and DaylightBias (offset adjustments), and transition dates. W32Time service - controls NTP client/server behavior, synchronization intervals, and time source hierarchy. + TimeZoneInformation contains StandardName, DaylightName, Bias (UTC offset), and + transition dates. W32Time service controls NTP behavior and synchronization intervals. DateTime\\Servers maintains time server lists and synchronization preferences. examples: - - "StandardName: Pacific Standard Time (West Coast US timezone)" - - "DaylightName: Pacific Daylight Time (DST designation)" + - "StandardName: Pacific Standard Time" + - "DaylightName: Pacific Daylight Time" - "Bias: 480 (UTC-8, 480 minutes behind UTC)" - "StandardBias: 0 (No additional offset for standard time)" - "DaylightBias: -60 (1 hour ahead during daylight saving)" - - "NtpServer: time.windows.com,0x9 (Microsoft time server)" + - "NtpServer: time.windows.com,0x9" - "UpdateInterval: 604800 (Weekly synchronization)" - "W32Time\\Type: NTP (Network Time Protocol client)" tools: - - name: "Date and Time Settings (timedate.cpl)" + - name: "Date and Time Settings" description: "Built-in Windows time and timezone configuration interface" - name: "w32tm.exe" description: "Windows Time service command-line configuration utility" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - - name: "Time Zone Analyzer" - description: "Forensic tools for analyzing time zone changes and timeline correlation" - - name: "NTP Configuration Tools" - description: "Network time protocol configuration and monitoring utilities" + - name: "tzutil.exe" + description: "Windows timezone utility for querying and setting timezone" + +limitations: + - "Time zone configuration does NOT prove when changes were made" + - "NTP server settings don't prove actual time synchronization occurred" + - "Configuration may exist without active time synchronization service" + - "Manual time changes may not leave registry traces" + - "Time zone modifications don't indicate who made the changes" + - "Settings show configuration state, not historical time synchronization activity" + +correlation: + required_for_definitive_timing_proof: + - "Event logs with original timestamps showing time zone changes" + - "File system timestamps confirming time synchronization activity" + - "Network logs showing NTP traffic and synchronization attempts" + - "System audit logs capturing time configuration changes" + + strengthens_evidence: + - "Multiple system clocks for cross-correlation verification" + - "External time sources for independent timeline verification" + - "Application logs with consistent timezone interpretation" metadata: windows_versions: - - "Windows NT" + - "Windows NT 4.0" - "Windows 2000" - "Windows XP" - "Windows Vista" @@ -72,13 +85,13 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "medium" investigation_types: - "timeline-analysis" - "incident-response" - "behavioral-analysis" + - "anti-forensics" tags: - "system" @@ -91,15 +104,12 @@ metadata: - "temporal-correlation" references: - - title: "Microsoft Documentation: Windows Time Service" + - title: "Windows Time Service" url: "https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/" type: "official" - title: "Time Zone Forensics and Timeline Analysis" url: "https://www.sans.org/white-papers/33927/" type: "research" - - title: "Digital Forensics: Time and Date Analysis" - url: "https://www.forensicfocus.com/articles/time-date-forensics/" - type: "research" retention: default_location: "Registry hive files (SYSTEM, SOFTWARE)" @@ -113,11 +123,10 @@ metadata: - "regional_settings" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/page_file.yml b/artifacts/system-modifications/virtual_memory_page_file.yml similarity index 65% rename from artifacts/system/page_file.yml rename to artifacts/system-modifications/virtual_memory_page_file.yml index f6ed996..29c1531 100644 --- a/artifacts/system/page_file.yml +++ b/artifacts/system-modifications/virtual_memory_page_file.yml @@ -1,5 +1,5 @@ title: "Virtual Memory and Page File Configuration" -category: "system" +category: "system-modifications" description: "Page file settings, virtual memory configuration, swap file management, and memory forensics" paths: @@ -9,24 +9,22 @@ paths: details: what: | - Virtual memory and page file configuration controls how Windows manages memory when physical - RAM is insufficient. Settings include page file locations, size limits, memory management - parameters, virtual address space configuration, and swap file behavior. Manages memory - allocation policies, paging algorithms, and virtual memory security settings for optimal - system performance and memory utilization across different workload scenarios. + Virtual memory and page file configuration controls how Windows manages memory when physical + RAM is insufficient. Settings include page file locations, size limits, memory management + parameters, virtual address space configuration, and swap file behavior. Manages memory + allocation policies and virtual memory security settings. forensic_value: | - Critical for memory forensics as page files contain sensitive data including passwords, - encryption keys, process memory, and document contents that persist after process termination. - Page file security settings reveal if sensitive data clearing was disabled, enabling forensic - memory recovery. Configuration changes may indicate attempts to hide memory artifacts or - optimize system performance for malicious activities requiring intensive memory usage. + Critical for memory forensics as page files contain sensitive data including passwords, + encryption keys, process memory, and document contents that persist after process termination. + Page file security settings reveal if sensitive data clearing was disabled, enabling forensic + memory recovery. Configuration changes may indicate attempts to hide memory artifacts. structure: | - Memory Management contains PagingFiles (page file configuration string), ClearPageFileAtShutdown - (security setting for data erasure), ExistingPageFiles (current active page files), - SessionPoolSize (session memory allocation), SystemPages (system memory configuration), - and DisablePagingExecutive (kernel memory paging control) stored as REG_SZ and REG_DWORD values. + Memory Management contains PagingFiles (page file configuration string), ClearPageFileAtShutdown + (security setting for data erasure), ExistingPageFiles (current active page files), SessionPoolSize + (session memory allocation), SystemPages (system memory configuration), and DisablePagingExecutive + (kernel memory paging control). examples: - "PagingFiles: C:\\\\pagefile.sys 2048 4096 (2GB initial, 4GB maximum)" @@ -50,6 +48,28 @@ details: - name: "Page File Forensics Tools" description: "Specialized tools for extracting data from Windows page files" +limitations: + - "Page file configuration does NOT prove sensitive data exists in page files" + - "Memory management settings don't indicate actual memory forensic evidence" + - "Disabled page file clearing doesn't prove sensitive data was recovered" + - "Virtual memory configuration may be for legitimate performance optimization" + - "Page file size settings don't indicate actual memory usage or contents" + - "Security settings may be configured for operational rather than forensic reasons" + +correlation: + required_for_definitive_memory_evidence: + - "Actual page file analysis showing recovery of sensitive data or artifacts" + - "Memory dumps showing process memory contents and sensitive information" + - "File system artifacts showing page file creation and modification during investigation periods" + - "Event logs showing memory management service activity and page file operations" + - "Process execution logs showing memory-intensive applications using virtual memory" + + strengthens_evidence: + - "Registry changes showing memory configuration modifications during attack timeframes" + - "File modifications in page file directories during configuration changes" + - "Event logs showing virtual memory allocation events during suspicious activity" + - "Process execution showing applications with high memory usage during investigation periods" + metadata: windows_versions: - "Windows NT" @@ -70,7 +90,6 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "high" investigation_types: @@ -113,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/volume_shadow_copy.yml b/artifacts/system-modifications/volume_shadow_copy.yml similarity index 54% rename from artifacts/system/volume_shadow_copy.yml rename to artifacts/system-modifications/volume_shadow_copy.yml index dcb4cd3..239578f 100644 --- a/artifacts/system/volume_shadow_copy.yml +++ b/artifacts/system-modifications/volume_shadow_copy.yml @@ -1,5 +1,5 @@ title: "Volume Shadow Copy Service Configuration" -category: "system" +category: "system-modifications" description: "VSS settings, restore points, shadow copy storage, and backup service configuration" paths: @@ -10,50 +10,63 @@ paths: details: what: | - Volume Shadow Copy Service (VSS) creates point-in-time copies of files and volumes - for backup, restore operations, and data recovery. Configuration controls VSS behavior, - restore point creation policies, storage allocation limits, file exclusions, and - shadow copy retention settings. Manages automated backup scheduling, system restore - capabilities, and data protection mechanisms essential for forensic data recovery. + Volume Shadow Copy Service (VSS) creates point-in-time copies of files and volumes + for backup and restore operations. Configuration controls VSS behavior, restore point + creation policies, storage allocation limits, and file exclusions. forensic_value: | - Critical for forensic investigations as VSS can be disabled by attackers to prevent - data recovery and hide malicious activity. Shadow copies contain historical file - versions that may preserve evidence of deleted or modified files, providing crucial - data recovery opportunities. Configuration changes reveal attempts to disable backup - capabilities, while shadow copy analysis can recover deleted evidence and establish - file modification timelines essential for investigation reconstruction. + Critical for forensic investigations as VSS can be disabled by attackers to prevent + data recovery. Shadow copies contain historical file versions that may preserve evidence + of deleted or modified files, providing crucial data recovery opportunities. structure: | - VSS service configuration includes startup type, dependencies, and operational parameters. - SystemRestore contains policies for restore point creation, disk usage limits (DiskPercent), - retention intervals (RPLifeInterval), and monitoring settings. FilesNotToBackup specifies - file types and locations excluded from shadow copy operations with detailed exclusion - rules and patterns for comprehensive backup management. + VSS service configuration includes startup type and operational parameters. SystemRestore + contains policies for restore point creation, disk usage limits (DiskPercent), retention + intervals (RPLifeInterval), and monitoring settings. examples: - "VSS\\Start: 3 (Manual startup - VSS available on demand)" - "VSS\\Start: 4 (Disabled - VSS completely unavailable)" - "SystemRestore\\DisableSR: 1 (System Restore disabled)" - - "DiskPercent: 15 (15% maximum disk space allocation for restore points)" + - "DiskPercent: 15 (15% maximum disk space allocation)" - "RPLifeInterval: 7776000 (90 days restore point retention)" - - "FilesNotToBackup: *.tmp, pagefile.sys, hiberfil.sys (Excluded file patterns)" + - "FilesNotToBackup: *.tmp, pagefile.sys, hiberfil.sys" - "CreateRestorePoint: 0 (Automatic restore point creation disabled)" - - "WindowsBackup\\LastSuccessfulBackupTime: [FILETIME] (Last backup timestamp)" + - "WindowsBackup\\LastSuccessfulBackupTime: [FILETIME]" tools: - name: "vssadmin.exe" description: "Built-in Volume Shadow Copy administrative command-line tool" - - name: "System Restore (rstrui.exe)" + - name: "System Restore" description: "Built-in Windows system restore and recovery interface" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - name: "ShadowExplorer" url: "https://www.shadowexplorer.com" - description: "Third-party tool for browsing and extracting shadow copy data" - - name: "VSS Data Recovery Tools" - description: "Specialized forensic tools for shadow copy analysis and data extraction" + description: "Third-party tool for browsing shadow copy data" + +limitations: + - "VSS configuration does NOT prove shadow copies were actually created" + - "Service enabled status doesn't indicate successful backup operations" + - "Restore point policies don't prove points were generated" + - "Storage allocation doesn't guarantee shadow copy availability" + - "Disabled VSS may be legitimate system configuration, not attack evidence" + - "Configuration timestamps show registry changes, not actual VSS activity" + - "File exclusions don't indicate whether backups were performed" + +correlation: + required_for_definitive_backup_activity_proof: + - "VSS event logs showing actual shadow copy creation and deletion" + - "File system artifacts showing restore point creation timestamps" + - "System event logs confirming VSS service operations" + - "Backup application logs showing successful backup operations" + + strengthens_evidence: + - "File system artifacts showing shadow copy storage usage" + - "Registry modification timestamps correlating with VSS changes" + - "Application logs showing restore operations or data recovery" + - "System performance logs showing VSS storage utilization" metadata: windows_versions: @@ -72,13 +85,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: - "timeline-analysis" - "data-exfiltration" - "incident-response" + - "anti-forensics" - "behavioral-analysis" tags: @@ -91,7 +104,7 @@ metadata: - "file-history" references: - - title: "Microsoft Documentation: Volume Shadow Copy Service" + - title: "Volume Shadow Copy Service" url: "https://docs.microsoft.com/en-us/windows/win32/vss/volume-shadow-copy-service-overview" type: "official" - title: "Shadow Copy Forensics and Data Recovery" @@ -110,11 +123,10 @@ metadata: - "data_recovery" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/windows_activation.yml b/artifacts/system-modifications/windows_activation.yml similarity index 60% rename from artifacts/system/windows_activation.yml rename to artifacts/system-modifications/windows_activation.yml index 9e7d3a1..7877cec 100644 --- a/artifacts/system/windows_activation.yml +++ b/artifacts/system-modifications/windows_activation.yml @@ -1,5 +1,5 @@ title: "Windows Activation and License Management" -category: "system" +category: "system-modifications" description: "Windows activation status, licensing information, KMS configuration, and digital entitlement settings" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows activation and licensing infrastructure encompasses activation status verification, - product key management, Key Management Service (KMS) configuration, digital entitlement - validation, and Software Protection Platform settings. Controls license enforcement, - activation methods, grace periods, and compliance with Microsoft licensing terms - for genuine Windows installation validation. + Windows activation and licensing infrastructure controls activation status verification, + product key management, Key Management Service (KMS) configuration, digital entitlement + validation, and Software Protection Platform settings for license enforcement. forensic_value: | - Important for system identification, compliance verification, and detecting unauthorized - or pirated Windows installations that may indicate security risks. Shows activation - bypass attempts, KMS server redirection for unauthorized activation, and license - tampering that could correlate with other security violations. Helps establish - system legitimacy and organizational compliance during investigations. + Important for system identification, compliance verification, and detecting unauthorized + or pirated Windows installations. Shows activation bypass attempts, KMS server redirection + for unauthorized activation, and license tampering correlating with security violations. structure: | - Software Protection Platform contains activation tokens, license status, KMS client - configuration, and digital rights management data. OOBE (Out-of-Box Experience) settings - control initial setup behavior and activation flow. WPA (Windows Product Activation) - maintains activation state and hardware fingerprinting for license enforcement. + Software Protection Platform contains activation tokens, license status, KMS client + configuration, and digital rights management data. OOBE settings control initial setup + behavior. WPA maintains activation state and hardware fingerprinting. examples: - "SoftwareProtectionPlatform\\ActivationStatus: 1 (Windows activated)" @@ -49,8 +44,28 @@ details: description: "Advanced registry analysis and browsing tool" - name: "License Status Checker" description: "Third-party tools for Windows license verification" - - name: "KMS Configuration Manager" - description: "Enterprise KMS server management and monitoring tools" + +limitations: + - "Activation status does NOT prove system usage patterns or security compliance" + - "KMS server settings don't confirm actual communication or activation occurred" + - "Licensed status may not reflect current activation state accuracy" + - "Digital entitlement doesn't prove legitimate software acquisition" + - "Grace period settings don't indicate when activation attempts were made" + - "Product key information doesn't prove software was legally obtained" + - "Activation bypass may be legitimate enterprise configuration, not piracy" + +correlation: + required_for_definitive_licensing_compliance_proof: + - "Software licensing audit logs showing legitimate acquisition" + - "Network logs confirming KMS server communications" + - "Purchase records or enterprise licensing agreements" + - "System event logs showing activation service operations" + + strengthens_evidence: + - "Hardware device fingerprinting correlating with licensed installations" + - "Registry modification timestamps showing activation attempts" + - "Network traffic logs showing activation server communications" + - "Application logs showing licensing service operations" metadata: windows_versions: @@ -69,14 +84,13 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "low" investigation_types: - "incident-response" + - "behavioral-analysis" tags: - - "system" - "activation" - "licensing" - "compliance" @@ -86,7 +100,7 @@ metadata: - "genuine-validation" references: - - title: "Microsoft Documentation: Windows Activation" + - title: "Windows Activation" url: "https://docs.microsoft.com/en-us/windows/deployment/volume-activation/" type: "official" - title: "Volume Activation Management Tool" @@ -108,11 +122,10 @@ metadata: - "installed_programs" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/windows_features.yml b/artifacts/system-modifications/windows_features.yml similarity index 58% rename from artifacts/system/windows_features.yml rename to artifacts/system-modifications/windows_features.yml index 4c832d8..21e6cff 100644 --- a/artifacts/system/windows_features.yml +++ b/artifacts/system-modifications/windows_features.yml @@ -1,5 +1,5 @@ title: "Windows Features and Optional Components" -category: "system" +category: "system-modifications" description: "Enabled/disabled Windows features, optional components, role installations, and capability management" paths: @@ -10,24 +10,19 @@ paths: details: what: | - Windows Features configuration encompasses optional component management, server role - installations, capability packages, feature enablement status, and component-based - servicing. Controls which Windows features are installed and active, including - development tools, administrative utilities, networking components, and security - features that affect system functionality and attack surface. + Windows Features configuration controls optional component management, server role + installations, and capability packages. Manages which Windows features are installed + and active, affecting system functionality and attack surface. forensic_value: | - Critical for understanding system capabilities, enabled attack vectors, and administrative - tool availability. Shows evidence of features enabled for malicious purposes (such as - Telnet, IIS, or developer tools), reveals system hardening through feature disabling, - and indicates specialized functionality that might be abused. Essential for assessing - system configuration and potential attack methods available to threat actors. + Critical for understanding system capabilities and enabled attack vectors. Shows evidence + of features enabled for malicious purposes (Telnet, IIS, developer tools), reveals system + hardening through feature disabling, and indicates specialized functionality abuse. structure: | - Component Based Servicing maintains feature installation status, dependency tracking, - and feature metadata. OptionalFeatures contains user-accessible feature toggles, - server role configurations, and capability package status. Feature management controls - enterprise feature policies and administrative restrictions on feature modifications. + Component Based Servicing maintains feature installation status and dependency tracking. + OptionalFeatures contains user-accessible feature toggles and server role configurations. + Feature management controls enterprise policies and administrative restrictions. examples: - "TelnetClient: 4 (Telnet client enabled - potential security risk)" @@ -40,18 +35,38 @@ details: - "WindowsMediaPlayer: 3 (Windows Media Player disabled)" tools: - - name: "Windows Features (optionalfeatures.exe)" + - name: "Windows Features" description: "Built-in Windows features management interface" - name: "DISM (dism.exe)" description: "Deployment Image Servicing and Management command-line tool" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - - name: "Server Manager" - description: "Windows Server role and feature management console" - name: "PowerShell Get-WindowsFeature" description: "PowerShell cmdlets for Windows feature management and analysis" +limitations: + - "Feature installation status does NOT prove feature was actually used" + - "Enabled features don't indicate when they were activated or by whom" + - "Feature configuration shows availability, not actual utilization" + - "Administrative installation may enable features without user knowledge" + - "Disabled features may be legitimate security hardening, not evidence tampering" + - "Feature states don't prove specific activities or attacks occurred" + - "Installation timestamps show registry changes, not feature usage" + +correlation: + required_for_definitive_feature_usage_proof: + - "Application event logs showing feature utilization" + - "Service execution logs confirming feature services were started" + - "Network logs showing traffic through enabled network features" + - "Process execution logs showing feature-related programs running" + + strengthens_evidence: + - "Registry Run keys or services related to enabled features" + - "File system artifacts showing feature configuration or data" + - "User activity artifacts related to feature-specific applications" + - "Security logs showing feature-based authentication or access" + metadata: windows_versions: - "Windows Vista" @@ -67,15 +82,14 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "medium" investigation_types: - "incident-response" - "malware-analysis" + - "lateral-movement" tags: - - "system" - "windows-features" - "optional-components" - "attack-surface" @@ -85,7 +99,7 @@ metadata: - "feature-management" references: - - title: "Microsoft Documentation: Windows Features" + - title: "Windows Features" url: "https://docs.microsoft.com/en-us/windows/application-management/manage-optional-features" type: "official" - title: "Windows Server Roles and Features" @@ -102,16 +116,15 @@ metadata: related_artifacts: - "installed_programs" - - "services" + - "windows_services" - "security_policy" - "windows_activation" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/windows_update.yml b/artifacts/system-modifications/windows_update.yml similarity index 61% rename from artifacts/system/windows_update.yml rename to artifacts/system-modifications/windows_update.yml index 1720c81..6c33b11 100644 --- a/artifacts/system/windows_update.yml +++ b/artifacts/system-modifications/windows_update.yml @@ -1,5 +1,5 @@ title: "Windows Update Configuration and History" -category: "system" +category: "system-modifications" description: "Windows Update service settings, WSUS configuration, automatic update policies, and patch management" paths: @@ -10,31 +10,24 @@ paths: details: what: | - Windows Update service comprehensive configuration including automatic update settings, - Windows Server Update Services (WSUS) server configuration, update sources, installation - schedules, update approval policies, and patch management settings. Controls security - update delivery, feature update policies, driver updates, and enterprise update management - for maintaining system security and functionality across Windows environments. + Windows Update service configuration includes automatic update settings, Windows Server + Update Services (WSUS) server configuration, update sources, installation schedules, + and patch management settings for maintaining system security. forensic_value: | - Critical for detecting security policy modifications where attackers disable updates - to maintain vulnerable systems, reveals WSUS server redirection for malicious update - delivery, and indicates update tampering that could facilitate persistent access through - compromised updates. Disabled updates often indicate long-term compromise strategies, - while modified update sources may suggest sophisticated supply chain attacks or - infrastructure compromise designed to deliver malicious updates. + Critical for detecting security policy modifications where attackers disable updates + to maintain vulnerable systems. Reveals WSUS server redirection for malicious update + delivery and indicates update tampering for persistent access. structure: | - Update configuration includes AUOptions (automatic update behavior), WUServer (WSUS server), - UseWUServer (WSUS enablement), ScheduledInstallDay/Time (installation scheduling), update - source configuration, and service registration. Update policies control approval requirements, - installation restrictions, and enterprise deployment settings stored as REG_DWORD and - REG_SZ values with complex policy inheritance and override mechanisms. + Update configuration includes AUOptions (automatic update behavior), WUServer (WSUS server), + UseWUServer (WSUS enablement), ScheduledInstallDay/Time (installation scheduling), and + service registration stored as REG_DWORD and REG_SZ values. examples: - "AUOptions: 1 (Notify before downloading any updates)" - "AUOptions: 4 (Automatically download and install updates)" - - "WUServer: http://wsus.company.com:8530 (Corporate WSUS server)" + - "WUServer: http://wsus.company.com:8530" - "WUServer: http://malicious-wsus.evil.com (Suspicious update server)" - "UseWUServer: 1 (Use specified WSUS server instead of Microsoft)" - "ScheduledInstallDay: 0 (Install updates every day)" @@ -43,20 +36,38 @@ details: - "DisableWindowsUpdateAccess: 1 (Block access to Windows Update)" tools: - - name: "Windows Update Settings (ms-settings:windowsupdate)" + - name: "Windows Update Settings" description: "Built-in Windows Update configuration and status interface" - name: "wuauclt.exe" description: "Windows Update client command-line utility" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - - name: "Update Orchestrator Service" - description: "Modern Windows Update service management and scheduling" - - name: "WSUS Administration Tools" - description: "Enterprise Windows Server Update Services management utilities" - name: "PowerShell Update Management" description: "PowerShell modules for Windows Update automation and analysis" +limitations: + - "Update configuration does NOT prove updates were actually installed" + - "WSUS server settings don't confirm connection or communication occurred" + - "Disabled updates may be legitimate enterprise policy, not attack evidence" + - "Scheduled installation times don't prove updates were applied" + - "Configuration changes don't indicate who made the modifications" + - "Update server redirection may be legitimate corporate infrastructure" + - "Service settings show configuration state, not update installation history" + +correlation: + required_for_definitive_update_activity_proof: + - "Windows Update event logs showing actual update installation" + - "Installed programs registry showing update installations" + - "File system artifacts showing updated files and timestamps" + - "System event logs confirming update service operations" + + strengthens_evidence: + - "Network logs showing connections to update servers" + - "Registry modification timestamps correlating with update changes" + - "Application logs showing update-related process activity" + - "System restore points created during update installations" + metadata: windows_versions: - "Windows XP" @@ -74,15 +85,14 @@ metadata: - "Windows Server 2022" introduced: "Windows XP" - criticality: "high" investigation_types: - "malware-analysis" - "timeline-analysis" - - "privilege-escalation" - "lateral-movement" - "persistence-analysis" + - "incident-response" tags: - "windows-update" @@ -94,7 +104,7 @@ metadata: - "automatic-updates" references: - - title: "Microsoft Documentation: Windows Update" + - title: "Windows Update" url: "https://docs.microsoft.com/en-us/windows/deployment/update/" type: "official" - title: "Windows Update Security and Attack Vectors" @@ -116,11 +126,10 @@ metadata: - "network_configuration" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/version_info.yml b/artifacts/system-modifications/windows_version_info.yml similarity index 51% rename from artifacts/system/version_info.yml rename to artifacts/system-modifications/windows_version_info.yml index 4f463f8..cdf8c06 100644 --- a/artifacts/system/version_info.yml +++ b/artifacts/system-modifications/windows_version_info.yml @@ -1,6 +1,6 @@ title: "Windows Version and Build Information" -category: "system" -description: "Complete Windows version identification, build numbers, edition details, and installation metadata" +category: "system-modifications" +description: "Windows version identification, build numbers, edition details, and installation metadata" paths: - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" @@ -9,54 +9,64 @@ paths: details: what: | - Windows stores comprehensive version identification information including build numbers, - edition details, installation timestamps, product keys, registered owner information, - update history, and licensing data. Provides complete system identification for baseline - establishment, vulnerability assessment, and forensic system profiling across different - Windows versions and editions with detailed metadata for investigation correlation. + Windows stores version identification information including build numbers, edition details, + installation timestamps, product keys, registered owner information, update history, and + licensing data for complete system identification. forensic_value: | - Essential for establishing system baseline information, determining available Windows - features and security capabilities, validating system timeline accuracy, and identifying - Windows editions for capability analysis during investigations. Version information - enables vulnerability assessment, helps correlate with known exploits, and provides - context for available security features, installed updates, and system configuration - options relevant to investigation scenarios. + Essential for establishing system baseline information, determining available Windows + features and security capabilities, and identifying Windows editions for vulnerability + assessment and investigation correlation. structure: | - Version information stored as REG_SZ strings and REG_DWORD values including ProductName - (Windows edition), CurrentBuild (build number), ReleaseId (version identifier), InstallDate - (Unix timestamp), RegisteredOwner (system owner), DigitalProductId (license data), and - update information with installation tracking and feature update history for comprehensive - system identification and timeline establishment. + Version information stored as REG_SZ strings and REG_DWORD values including ProductName, + CurrentBuild, ReleaseId, InstallDate (Unix timestamp), RegisteredOwner, DigitalProductId, + and update information for comprehensive system identification. examples: - - "ProductName: Windows 11 Pro (Operating system edition)" - - "ProductName: Windows 10 Enterprise LTSC (Long-term servicing channel)" + - "ProductName: Windows 11 Pro" + - "ProductName: Windows 10 Enterprise LTSC" - "CurrentBuild: 22621 (Windows 11 22H2 build number)" - "CurrentBuild: 19044 (Windows 10 21H2 build number)" - "ReleaseId: 22H2 (Feature update identifier)" - "InstallDate: 0x63A1B2C0 (Unix timestamp: 1671450304 = December 19, 2022)" - - "RegisteredOwner: CORPORATE\\ITDepartment (System registration information)" - - "RegisteredOrganization: Acme Corporation (Organization registration)" + - "RegisteredOwner: CORPORATE\\ITDepartment" + - "RegisteredOrganization: Acme Corporation" - "DigitalProductId: [Binary license and product key data]" tools: - name: "winver.exe" description: "Built-in Windows version information dialog" - name: "systeminfo.exe" - description: "Command-line system information utility with comprehensive details" + description: "Command-line system information utility" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" - - name: "RegRipper" - url: "https://github.com/keydet89/RegRipper3.0" - description: "Registry data extraction and analysis framework" - - name: "Windows System Information (msinfo32.exe)" - description: "Comprehensive system information and configuration viewer" - name: "PowerShell Get-ComputerInfo" description: "PowerShell cmdlet for detailed system information retrieval" +limitations: + - "Version information does NOT prove system activity or usage patterns" + - "Installation date shows registry creation, not actual system deployment" + - "Registered owner doesn't prove who actually uses the system" + - "Edition details don't indicate which features are actively enabled" + - "Build numbers don't prove specific security patches are installed" + - "Version data may be modified by system updates or registry editing" + - "Product information doesn't indicate system configuration or security state" + +correlation: + required_for_definitive_system_capability_proof: + - "Installed programs registry showing actual feature installations" + - "Windows Features configuration showing enabled capabilities" + - "Security event logs confirming available security features" + - "File system artifacts showing Windows component presence" + + strengthens_evidence: + - "Update history logs showing patch level and security updates" + - "Hardware device registry showing compatible features" + - "Network configuration showing available protocols and services" + - "Application logs showing feature utilization" + metadata: windows_versions: - "Windows NT 3.1" @@ -78,13 +88,12 @@ metadata: - "Windows Server 2022" introduced: "Windows NT 3.1" - criticality: "low" investigation_types: - "incident-response" - - "lateral-movement" - "timeline-analysis" + - "behavioral-analysis" tags: - "version-info" @@ -96,7 +105,7 @@ metadata: - "edition-analysis" references: - - title: "Microsoft Documentation: Windows Version Information" + - title: "Windows Version Information" url: "https://docs.microsoft.com/en-us/windows/win32/sysinfo/getting-the-system-version" type: "official" - title: "Windows Version History and Security Features" @@ -112,14 +121,13 @@ metadata: - "installed_programs" - "computer_name" - "user_profiles" - - "system_configuration" + - "windows_features" author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" + name: "RegSeek Migration" + github: "regseek" contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + date_added: "2025-06-13" + last_updated: "2025-06-13" + version: "3.0" diff --git a/artifacts/system/sam_authentication.yml b/artifacts/system/sam_authentication.yml deleted file mode 100644 index e7463eb..0000000 --- a/artifacts/system/sam_authentication.yml +++ /dev/null @@ -1,139 +0,0 @@ -title: "SAM Database User Account Information" -category: "system" -description: "Local user account data including password hashes, logon counts, account policies, and authentication history" - -paths: - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names" - - "HKLM\\SAM\\SAM\\Domains\\Account\\Aliases" - - "HKLM\\SAM\\SAM\\Domains\\Builtin\\Aliases" - -details: - what: | - Security Account Manager (SAM) database stores comprehensive local user account information - including usernames, password hashes (NTLM), account policies, logon counts, last logon times, - password change dates, account lockout information, and group memberships. Contains both - active and disabled accounts with detailed authentication history and security settings. - Critical component of Windows local authentication infrastructure. - - forensic_value: | - Critical for identifying unauthorized accounts, password attacks, account creation timelines, - and user authentication patterns. Password hashes can be cracked or used for pass-the-hash - attacks. Shows evidence of account compromise, privilege escalation, lateral movement, and - unauthorized access attempts. Essential for user timeline analysis and security assessment. - - structure: | - User accounts stored by Relative Identifier (RID) starting from 500 (Administrator). - Contains binary data structures with NTLM password hashes, FILETIME timestamps for - account creation/last logon/password changes, logon count, bad password count, account - flags, and group membership information. Names subkey provides RID to username mapping. - - examples: - - "RID 500: Built-in Administrator account" - - "RID 1001: Local user account (first created user)" - - "Username: administrator" - - "NTLM Hash: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0" - - "Last Logon: 2024-01-15 14:30:25 UTC" - - "Password Last Set: 2024-01-01 08:00:00 UTC" - - "Account Created: 2023-12-15 10:00:00 UTC" - - "Logon Count: 157" - - "Bad Password Count: 3" - - "Account Flags: 0x0210 (Normal user, password never expires)" - - tools: - - name: "SAMInside" - url: "https://www.insidepro.com/saminside.php" - description: "Professional SAM database analysis and password recovery tool" - - name: "pwdump7" - url: "https://www.tarasco.org/security/pwdump_7/" - description: "Tool for extracting password hashes from SAM database" - - name: "Ophcrack" - url: "https://ophcrack.sourceforge.io/" - description: "Rainbow table-based password cracking tool for Windows" - - name: "John the Ripper" - url: "https://www.openwall.com/john/" - description: "Advanced password cracking tool with Windows hash support" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry browser with SAM analysis capabilities" - - name: "SAM Parser" - description: "Specialized tools for SAM database structure analysis" - -metadata: - windows_versions: - - "Windows NT 3.1" - - "Windows NT 3.5" - - "Windows NT 4.0" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "privilege-escalation" - - "lateral-movement" - - "incident-response" - - "timeline-analysis" - - "malware-analysis" - - tags: - - "system" - - "user-accounts" - - "password-hashes" - - "authentication" - - "account-creation" - - "security" - - "privilege-escalation" - - "ntlm-hashes" - - "logon-history" - - "account-policy" - - references: - - title: "Security Account Manager (SAM)" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management" - type: "official" - - title: "Windows Authentication Architecture" - url: "https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture" - type: "official" - - title: "MITRE ATT&CK: Account Discovery" - url: "https://attack.mitre.org/techniques/T1087/001/" - type: "research" - - title: "Windows SAM Database Analysis" - url: "https://www.sans.org/blog/digital-forensics-sam-analysis/" - type: "research" - - retention: - default_location: "SAM registry hive (%SystemRoot%\\System32\\config\\SAM)" - persistence: "Survives reboots, persists until account deletion or system reinstallation" - volatility: "Account data persistent but logon history may be limited by policy settings" - - related_artifacts: - - "user_profiles" - - "security_policy" - - "event_log_config" - - "winlogon_userinit" - - "lsa_packages" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" \ No newline at end of file diff --git a/artifacts/system/security_policy.yml b/artifacts/system/security_policy.yml deleted file mode 100644 index 7cbdd44..0000000 --- a/artifacts/system/security_policy.yml +++ /dev/null @@ -1,124 +0,0 @@ -title: "Local Security Policy Settings" -category: "system" -description: "Security policies, audit settings, access control configuration, and Local Security Authority settings" - -paths: - - "HKLM\\SECURITY\\Policy" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies" - - "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows" - -details: - what: | - Local Security Policy configuration encompasses comprehensive audit policies, user rights - assignments, security options, Local Security Authority (LSA) settings, and system-wide - security controls. Manages authentication policies, privilege assignments, audit logging - configuration, password policies, and security restrictions that govern system access - control and security behavior across Windows environments. - - forensic_value: | - Critical for detecting security policy modifications that weaken system defenses, shows - disabled audit logging designed to hide malicious activity, reveals privilege escalation - attempts through policy changes, and indicates sophisticated attacks that modify security - controls. Security policy analysis reveals attacker knowledge of Windows security mechanisms - and attempts to establish persistence or evade detection through policy manipulation. - - structure: | - Security policy data stored in binary format within SECURITY registry hive containing - audit policy settings, user rights assignments, and security options. LSA settings - control authentication mechanisms, credential caching, and security package configurations. - Policies registry contains user-level security restrictions and Group Policy settings - that affect security behavior and system restrictions. - - examples: - - "AuditLogonEvents: 0 (Logon event auditing disabled)" - - "AuditObjectAccess: 3 (File/folder access auditing enabled for success and failure)" - - "AuditPrivilegeUse: 2 (Privilege use auditing for failures only)" - - "LSA\\LimitBlankPasswordUse: 0 (Allow blank passwords for network logon)" - - "LSA\\NoLMHash: 1 (Disable LM hash storage)" - - "CrashOnAuditFail: 0 (System continues if audit log full)" - - "ShutdownWithoutLogon: 1 (Allow shutdown without logon)" - - "EnableGuestAccount: 0 (Guest account disabled)" - - tools: - - name: "Local Security Policy (secpol.msc)" - description: "Built-in Windows security policy management interface" - - name: "secedit.exe" - description: "Command-line security configuration and analysis tool" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Policy Analyzer" - description: "Third-party tools for security policy assessment and comparison" - - name: "Group Policy Editor (gpedit.msc)" - description: "Advanced policy configuration and management interface" - - name: "auditpol.exe" - description: "Command-line audit policy configuration utility" - -metadata: - windows_versions: - - "Windows NT" - - "Windows 2000" - - "Windows XP" - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2000" - - "Windows Server 2003" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows NT 3.1" - - criticality: "high" - - investigation_types: - - "privilege-escalation" - - "behavioral-analysis" - - "lateral-movement" - - "incident-response" - - "lateral-movement" - - tags: - - "security-policy" - - "audit-settings" - - "lsa" - - "access-control" - - "privilege-escalation" - - "policy-modification" - - "security-evasion" - - references: - - title: "Microsoft Documentation: Local Security Policy" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/" - type: "official" - - title: "Windows Security Policy Manipulation" - url: "https://attack.mitre.org/techniques/T1562/" - type: "research" - - retention: - default_location: "Registry hive files (SECURITY, SOFTWARE, SYSTEM)" - persistence: "Security policies persist until administratively changed" - volatility: "Critical settings affecting ongoing system security and access control" - - related_artifacts: - - "sam_security" - - "audit_settings" - - "user_profiles" - - "security_center" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/system/windows_defender.yml b/artifacts/system/windows_defender.yml deleted file mode 100644 index 2138306..0000000 --- a/artifacts/system/windows_defender.yml +++ /dev/null @@ -1,121 +0,0 @@ -title: "Windows Defender and Security Settings" -category: "system" -description: "Windows Defender configuration, exclusions, security policies, and User Account Control settings" - -paths: - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" - - "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" - - "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions" - -details: - what: | - Windows Defender (Windows Security) comprehensive configuration including real-time protection - settings, scan exclusions, threat detection policies, automatic sample submission, cloud - protection settings, and User Account Control (UAC) configuration. Controls system security - posture, malware detection capabilities, security notifications, and administrative privilege - elevation policies essential for endpoint protection and security management. - - forensic_value: | - Critical for detecting sophisticated evasion techniques where attackers disable security - features to facilitate malware execution, reveals exclusion paths added by malware to - avoid detection, and indicates security policy modifications that weaken system defenses. - Disabled Windows Defender or modified exclusions often indicate compromise, while UAC - modifications may enable privilege escalation attacks or administrative access bypass - attempts essential for forensic security assessment. - - structure: | - Defender configuration includes DisableAntiSpyware (complete disabling), DisableRealtimeMonitoring - (real-time protection), exclusion lists for paths/processes/extensions, update configurations, - and cloud protection settings. UAC settings control elevation prompts through ConsentPromptBehaviorAdmin, - EnableLUA (UAC enablement), and PromptOnSecureDesktop (secure prompt display) with various - security level configurations for comprehensive protection management. - - examples: - - "DisableAntiSpyware: 1 (Windows Defender completely disabled)" - - "DisableRealtimeMonitoring: 1 (Real-time protection disabled)" - - "Exclusions\\Paths: C:\\Malware, C:\\Tools\\Hacking (Suspicious exclusion paths)" - - "Exclusions\\Processes: malware.exe, cryptominer.exe (Excluded malicious processes)" - - "ExclusionExtension: .exe, .dll, .scr (Dangerous extension exclusions)" - - "EnableLUA: 0 (User Account Control completely disabled)" - - "ConsentPromptBehaviorAdmin: 0 (No UAC prompts for administrators)" - - "PromptOnSecureDesktop: 0 (UAC prompts not on secure desktop)" - - tools: - - name: "Windows Security (ms-settings:windowsdefender)" - description: "Built-in Windows Security management interface" - - name: "Get-MpPreference PowerShell" - description: "PowerShell cmdlets for Windows Defender configuration analysis" - - name: "Registry Explorer" - url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Group Policy Editor (gpedit.msc)" - description: "Advanced Windows Defender and UAC policy configuration" - - name: "Windows Defender Security Center" - description: "Centralized security status and configuration management" - - name: "Defender Configuration Analyzer" - description: "Third-party tools for comprehensive Defender settings assessment" - -metadata: - windows_versions: - - "Windows Vista" - - "Windows 7" - - "Windows 8" - - "Windows 8.1" - - "Windows 10" - - "Windows 11" - - "Windows Server 2008" - - "Windows Server 2012" - - "Windows Server 2016" - - "Windows Server 2019" - - "Windows Server 2022" - - introduced: "Windows Vista (Windows Defender), Windows Vista (UAC)" - - criticality: "high" - - investigation_types: - - "incident-response" - - "malware-analysis" - - "privilege-escalation" - - tags: - - "windows-defender" - - "security-policy" - - "uac" - - "malware-evasion" - - "exclusions" - - "real-time-protection" - - "endpoint-security" - - references: - - title: "Microsoft Documentation: Windows Security" - url: "https://docs.microsoft.com/en-us/windows/security/threat-protection/" - type: "official" - - title: "Windows Defender Evasion Techniques" - url: "https://attack.mitre.org/techniques/T1562/001/" - type: "research" - - title: "UAC Bypass Methods and Detection" - url: "https://attack.mitre.org/techniques/T1548/002/" - type: "research" - - retention: - default_location: "Registry hive files (SOFTWARE)" - persistence: "Security settings persist until manually changed or policy overridden" - volatility: "Critical security configuration affecting ongoing threat protection" - - related_artifacts: - - "security_center" - - "security_policy" - - "malware_exclusions" - - "privilege_escalation" - -author: - name: "Tonmoy Jitu" - github: "tonmoy0010" - x: "tonmoy0010" - -contribution: - date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" diff --git a/artifacts/user-activity/acmru.yml b/artifacts/user-behaviour/acmru.yml similarity index 62% rename from artifacts/user-activity/acmru.yml rename to artifacts/user-behaviour/acmru.yml index e232b39..9be375e 100644 --- a/artifacts/user-activity/acmru.yml +++ b/artifacts/user-behaviour/acmru.yml @@ -1,5 +1,5 @@ title: "Automatic Destinations and Recent Items (ACMRU)" -category: "user-activity" +category: "user-behaviour" description: "Application-specific MRU tracking, dialog preferences, and automated destination management" paths: @@ -11,23 +11,19 @@ paths: details: what: | Windows tracks application-specific Most Recently Used (MRU) items including file dialog - sizing preferences, default folder locations, stream operations, and automated destination - management. Provides granular tracking of user interaction patterns with file dialogs, - application preferences, and document access behaviors across different software applications - and file operation contexts. + sizing preferences, default folder locations, and stream operations. Provides granular + tracking of user interaction patterns with file dialogs and document access behaviors. forensic_value: | - Provides detailed user interaction patterns with applications and file systems, reveals - preferred locations for file operations across different applications, shows evidence of - document manipulation activities, and indicates user workflow patterns. Critical for - understanding user behavior, establishing application usage timelines, and correlating - file access activities with specific applications and user intentions. + Reveals detailed user interaction patterns with applications and file systems, showing + preferred locations for file operations and evidence of document manipulation activities. + Critical for understanding user behavior and establishing application usage timelines. structure: | - CIDSizeMRU stores dialog box sizing preferences organized by application executable names. - FirstFolder maintains default folder locations for file dialogs by file type context. - StreamMRU contains data stream access patterns with binary PIDL (Pointer to Item IDentifier List) - data representing folder locations and navigation history in specialized data formats. + CIDSizeMRU stores dialog box sizing preferences by application executable names. + FirstFolder maintains default folder locations for file dialogs by file type. + StreamMRU contains data stream access patterns with binary PIDL data representing + folder locations and navigation history. examples: - "CIDSizeMRU\\notepad.exe: Dialog size 800x600 (Notepad file dialog preferences)" @@ -52,6 +48,28 @@ details: - name: "Common Dialog Analysis Tools" description: "Utilities for analyzing file dialog interaction patterns" +limitations: + - "Dialog preferences do NOT prove files were actually opened or accessed" + - "Size settings don't indicate successful file operations or document viewing" + - "Default folder locations don't show actual file activity in those folders" + - "Stream operations may reflect system activity rather than user actions" + - "PIDL data can become corrupted or reference non-existent locations" + - "MRU entries don't indicate duration of file interaction or editing" + - "Application-specific settings don't prove the application was actively used" + +correlation: + required_for_definitive_file_access_proof: + - "File system timestamps showing actual file modifications or access" + - "Application event logs showing document opening and editing activity" + - "Process execution logs confirming application usage during dialog interactions" + - "Registry keys modified by applications during file operations" + + strengthens_evidence: + - "Recent documents showing files accessed through these dialog preferences" + - "ShellBags data showing folder navigation correlating with dialog settings" + - "Jump Lists showing application usage patterns matching dialog history" + - "Thumbnail cache entries showing file previews from preferred locations" + metadata: windows_versions: - "Windows XP" @@ -63,7 +81,6 @@ metadata: - "Windows 11" introduced: "Windows XP" - criticality: "medium" investigation_types: @@ -106,5 +123,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/cloud/box_sync.yml b/artifacts/user-behaviour/box_sync.yml similarity index 63% rename from artifacts/cloud/box_sync.yml rename to artifacts/user-behaviour/box_sync.yml index 79a7164..b8010fa 100644 --- a/artifacts/cloud/box_sync.yml +++ b/artifacts/user-behaviour/box_sync.yml @@ -1,5 +1,5 @@ title: "Box Sync and Drive Client" -category: "cloud" +category: "user-behaviour" description: "Box Sync and Box Drive configuration, enterprise integration, and file synchronization" paths: @@ -13,21 +13,18 @@ details: Box Sync and Box Drive manage enterprise cloud storage synchronization including folder mapping, authentication with Box enterprise accounts, collaboration settings, and security policies. Registry tracks installation configurations, user credentials, - folder sync preferences, and Box Edit integration for comprehensive enterprise - content management and secure file sharing in business environments. + and folder sync preferences. forensic_value: | - Critical for investigating enterprise data exfiltration, unauthorized access to - Box repositories, and violation of corporate data governance policies. Shows evidence - of Box usage in enterprise environments, shared folder access, collaboration - activities, and potential data leakage through Box platform. Essential for analyzing - insider threats and unauthorized data sharing in corporate settings. + Critical for investigating enterprise data exfiltration and unauthorized access to + Box repositories. Shows evidence of Box usage in enterprise environments, shared + folder access, and potential data leakage through Box platform. Essential for + analyzing insider threats in corporate settings. structure: | Box configuration includes enterprise account identifiers, sync folder locations, collaboration permissions, security settings, and Box Edit integration preferences. - Enterprise policies control access restrictions, sharing permissions, and data - governance compliance for comprehensive Box platform security management. + Enterprise policies control access restrictions and sharing permissions. examples: - "BoxSyncPath: C:\\Users\\user\\Box Sync" @@ -45,7 +42,25 @@ details: description: "Enterprise Box administration and audit capabilities" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows configuration only, not actual files shared or accessed" + - "Enterprise account presence doesn't prove data exfiltration occurred" + - "Collaboration settings don't indicate actual collaboration activity" + - "Box Edit integration may not reflect document editing patterns" + +correlation: + required_for_definitive_conclusions: + - "Box sync logs and metadata files" + - "File system artifacts showing Box folder contents" + - "Network traffic logs showing Box API communications" + - "Box enterprise audit logs from Box Admin Console" + + strengthens_evidence: + - "Timeline analysis of Box folder file modifications" + - "User activity showing Box application usage" + - "Email notifications from Box sharing activities" metadata: windows_versions: @@ -56,20 +71,19 @@ metadata: - "Windows 11" introduced: "Box Sync Client" - - criticality: "medium" + criticality: "high" investigation_types: - "data-exfiltration" - "insider-threat" - "behavioral-analysis" + - "incident-response" tags: - "box" - "enterprise-storage" - "collaboration" - "file-sharing" - - "box-drive" - "data-governance" references: @@ -83,9 +97,8 @@ metadata: volatility: "Collaboration activity provides enterprise data sharing intelligence" related_artifacts: - - "enterprise_storage" - - "file_collaboration" - - "data_governance" + - "file_associations" + - "recent_docs" author: name: "Tonmoy Jitu" @@ -95,4 +108,4 @@ author: contribution: date_added: "2025-06-08" last_updated: "2025-06-08" - version: "1.0" + version: "3.0" diff --git a/artifacts/user-activity/comdlg32_settings.yml b/artifacts/user-behaviour/comdlg32_settings.yml similarity index 58% rename from artifacts/user-activity/comdlg32_settings.yml rename to artifacts/user-behaviour/comdlg32_settings.yml index 0bc5c6e..12bfec3 100644 --- a/artifacts/user-activity/comdlg32_settings.yml +++ b/artifacts/user-behaviour/comdlg32_settings.yml @@ -1,6 +1,6 @@ title: "Common Dialog Settings and File Browser History" -category: "user-activity" -description: "File dialog preferences, view settings, browsing behavior configuration, and dialog customization" +category: "user-behaviour" +description: "File dialog preferences, view settings, and browsing behavior configuration" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU" @@ -10,24 +10,20 @@ paths: details: what: | - Common file dialog configuration encompasses window sizing preferences, last visited folders, - custom places bar shortcuts, initial folder settings, and file browser behavior across - different applications and file operation contexts. Manages user interface customization, - navigation preferences, and application-specific dialog settings for consistent user - experience across Windows applications and improved workflow efficiency. + Common file dialog configuration including window sizing preferences, last visited folders, + custom places bar shortcuts, and initial folder settings. Manages user interface + customization and navigation preferences across Windows applications. forensic_value: | - Provides detailed insights into user interaction patterns with file dialogs across multiple - applications, reveals preferred locations for file operations, shows evidence of file access - behaviors and workflow patterns. Critical for understanding user navigation habits, establishing - application usage patterns, and correlating file access activities with specific user - intentions and operational contexts throughout various software applications. + Provides insights into user interaction patterns with file dialogs across applications, + revealing preferred locations for file operations and workflow patterns. Critical for + understanding user navigation habits and correlating file access activities with user intentions. structure: | - CIDSizeMRU stores dialog sizing information organized by application executable names. - LastVisitedMRU maintains recent folder navigation history for file operations. PlacesBar - contains custom shortcuts displayed in file dialogs. FirstFolder tracks default starting - locations for different file types and applications with binary PIDL data structures. + CIDSizeMRU stores dialog sizing information by application executable names. + LastVisitedMRU maintains recent folder navigation history. PlacesBar contains custom + shortcuts displayed in file dialogs. FirstFolder tracks default starting locations + with binary PIDL data structures. examples: - "CIDSizeMRU\\\\notepad.exe: Dialog window size 800x600 (Notepad file dialog preferences)" @@ -52,6 +48,28 @@ details: - name: "PIDL Analyzer" description: "Tools for decoding Windows Shell Item Lists and folder references" +limitations: + - "Dialog settings do NOT prove files were accessed or operations performed" + - "Places bar shortcuts don't indicate actual folder usage or access" + - "Size preferences don't show successful file operations or document interactions" + - "Last visited entries may reflect browsing without file selection" + - "Custom shortcuts can exist without being used for file operations" + - "First folder settings don't prove files were opened from those locations" + - "Configuration may persist from previous users or system installations" + +correlation: + required_for_definitive_usage_proof: + - "File system access logs showing actual file operations in configured locations" + - "Application event logs showing dialog box usage and file selections" + - "Process execution logs confirming applications used these dialog settings" + - "Registry keys modified during actual file operations" + + strengthens_evidence: + - "OpenSaveMRU entries showing files accessed through these dialog configurations" + - "Recent documents correlating with places bar shortcuts and default folders" + - "ShellBags showing folder navigation patterns matching dialog preferences" + - "Jump Lists showing application usage correlating with dialog customizations" + metadata: windows_versions: - "Windows 95" @@ -65,7 +83,6 @@ metadata: - "Windows 11" introduced: "Windows 95" - criticality: "low" investigation_types: @@ -109,5 +126,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/cloud/dropbox_desktop.yml b/artifacts/user-behaviour/dropbox_desktop.yml similarity index 61% rename from artifacts/cloud/dropbox_desktop.yml rename to artifacts/user-behaviour/dropbox_desktop.yml index a0fe112..e895a64 100644 --- a/artifacts/cloud/dropbox_desktop.yml +++ b/artifacts/user-behaviour/dropbox_desktop.yml @@ -1,5 +1,5 @@ title: "Dropbox Desktop Client" -category: "cloud" +category: "user-behaviour" description: "Dropbox desktop application configuration, sync settings, and account management" paths: @@ -10,24 +10,21 @@ paths: details: what: | - Dropbox Desktop Client manages file synchronization configuration including sync folder - locations, account authentication, selective sync preferences, bandwidth controls, - and LAN sync settings. Registry stores installation paths, user credentials, team - folder configurations, and Smart Sync behavior for comprehensive cloud storage - management and collaborative file sharing across multiple devices and platforms. + Dropbox Desktop Client manages file synchronization configuration including sync + folder locations, account authentication, selective sync preferences, bandwidth + controls, and LAN sync settings. Registry stores installation paths, user credentials, + and team folder configurations. forensic_value: | - Essential for investigating data exfiltration through Dropbox, unauthorized file - sharing with external parties, and intellectual property theft. Shows evidence of - Dropbox usage patterns, shared folder access, team memberships, and potential data - leakage vectors. Can reveal deliberate data theft through personal Dropbox accounts - or unauthorized sharing of sensitive corporate information. + Essential for investigating data exfiltration through Dropbox and unauthorized file + sharing. Shows evidence of Dropbox usage patterns, shared folder access, team + memberships, and potential data leakage vectors. Can reveal deliberate data theft + through personal Dropbox accounts or unauthorized sharing of sensitive information. structure: | Dropbox configuration includes account identifiers, sync folder paths, selective sync exclusions, bandwidth settings, LAN sync preferences, and Smart Sync policies. - Team configuration shows business account integration, shared folder access, and - administrative controls for enterprise Dropbox management. + Team configuration shows business account integration and shared folder access. examples: - "DropboxPath: C:\\Users\\user\\Dropbox" @@ -43,10 +40,28 @@ details: description: "Built-in Dropbox configuration and account management" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "Dropbox Business Admin Console" description: "Enterprise Dropbox monitoring and audit tools" +limitations: + - "Registry shows configuration only, not actual files synced or shared" + - "Account email doesn't prove active file synchronization occurred" + - "Selective sync settings may not reflect current folder exclusions" + - "Personal and business account mixing may obscure actual usage patterns" + +correlation: + required_for_definitive_conclusions: + - "Dropbox sync cache and metadata files" + - "File system artifacts showing Dropbox folder contents" + - "Network traffic logs showing Dropbox API communications" + - "Dropbox account activity logs from Dropbox servers" + + strengthens_evidence: + - "Timeline analysis of Dropbox folder file modifications" + - "User activity showing Dropbox application usage" + - "Email sharing notifications from Dropbox" + metadata: windows_versions: - "Windows 7" @@ -56,13 +71,13 @@ metadata: - "Windows 11" introduced: "Dropbox Desktop Client" - - criticality: "medium" + criticality: "high" investigation_types: - "data-exfiltration" - "insider-threat" - "behavioral-analysis" + - "incident-response" tags: - "dropbox" @@ -70,7 +85,6 @@ metadata: - "file-sharing" - "team-folders" - "smart-sync" - - "data-exfiltration" references: - title: "Dropbox Desktop App" @@ -84,7 +98,6 @@ metadata: related_artifacts: - "file_access_history" - - "browser_downloads" - "recent_documents" author: @@ -95,4 +108,4 @@ author: contribution: date_added: "2025-06-08" last_updated: "2025-06-08" - version: "1.0" + version: "3.0" diff --git a/artifacts/user-activity/gaming_entertainment.yml b/artifacts/user-behaviour/gaming_entertainment.yml similarity index 59% rename from artifacts/user-activity/gaming_entertainment.yml rename to artifacts/user-behaviour/gaming_entertainment.yml index 1fc251e..1c20bb6 100644 --- a/artifacts/user-activity/gaming_entertainment.yml +++ b/artifacts/user-behaviour/gaming_entertainment.yml @@ -1,6 +1,6 @@ title: "Gaming and Entertainment System Configuration" -category: "user-activity" -description: "Xbox services, Game Bar settings, gaming performance optimization, and entertainment application usage" +category: "user-behaviour" +description: "Xbox services, Game Bar settings, and entertainment application usage" paths: - "HKCU\\Software\\Microsoft\\GameBar" @@ -11,24 +11,20 @@ paths: details: what: | - Windows gaming and entertainment infrastructure encompasses Xbox Live integration, Game Bar - functionality, game recording capabilities, gaming performance optimization, graphics settings, - and entertainment application preferences. Controls game mode behavior, screen recording, - social gaming features, and hardware acceleration for enhanced gaming experience and - multimedia consumption. + Windows gaming and entertainment infrastructure including Xbox Live integration, Game Bar + functionality, game recording capabilities, and gaming performance optimization. Controls + game mode behavior, screen recording, and social gaming features. forensic_value: | - Important for behavioral analysis, user profiling, and timeline reconstruction. Gaming - activity patterns can establish user presence, reveal social connections through gaming - platforms, and indicate system usage during specific timeframes. Game recordings and - screenshots may contain inadvertent evidence, while gaming-related network activity - can reveal communication patterns and social engineering opportunities. + Important for behavioral analysis and user profiling. Gaming activity patterns can establish + user presence and reveal social connections through gaming platforms. Game recordings and + screenshots may contain inadvertent evidence, while gaming-related network activity can + reveal communication patterns. structure: | - Game Bar configuration includes recording settings, hotkey assignments, overlay preferences, - and privacy controls. GameDVR manages game capture functionality, storage locations, and - recording quality settings. Xbox integration contains account information, social features, - and cloud gaming preferences. Graphics drivers control hardware acceleration and gaming optimizations. + Game Bar configuration includes recording settings, hotkey assignments, and overlay preferences. + GameDVR manages game capture functionality and storage locations. Xbox integration contains + account information and social features. Graphics drivers control hardware acceleration. examples: - "GameBar\\AppCaptureEnabled: 1 (Game recording enabled)" @@ -53,13 +49,34 @@ details: - name: "Xbox Console Companion" description: "Xbox Live integration and social gaming features" +limitations: + - "Gaming configuration does NOT prove games were actually played" + - "Recording settings don't indicate actual game capture or recording activity" + - "Xbox account presence doesn't show active gaming or social interaction" + - "Game mode enablement doesn't prove gaming performance optimization was used" + - "Capture folder settings don't indicate recordings were created or saved" + - "Audio/video settings don't show actual multimedia capture occurred" + - "Graphics optimization settings don't prove enhanced gaming performance" + +correlation: + required_for_definitive_gaming_proof: + - "Game capture files showing actual recorded gameplay sessions" + - "Process execution logs showing gaming applications running" + - "Network traffic logs showing gaming service connections" + - "Xbox Live service logs showing account activity and social interactions" + + strengthens_evidence: + - "File system artifacts showing game installations and saved game files" + - "Registry keys modified by gaming applications during gameplay" + - "Browser history showing gaming website visits or account management" + - "Recent documents showing gaming-related files or screenshots" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Windows 10" - criticality: "low" investigation_types: @@ -105,5 +122,5 @@ author: contribution: date_added: "2025-06-07" - last_updated: "2025-06-07" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/cloud/google_drive_desktop.yml b/artifacts/user-behaviour/google_drive_desktop.yml similarity index 61% rename from artifacts/cloud/google_drive_desktop.yml rename to artifacts/user-behaviour/google_drive_desktop.yml index 5d10259..8f17cd9 100644 --- a/artifacts/cloud/google_drive_desktop.yml +++ b/artifacts/user-behaviour/google_drive_desktop.yml @@ -1,5 +1,5 @@ title: "Google Drive Desktop Client" -category: "cloud" +category: "user-behaviour" description: "Google Drive for Desktop configuration, sync settings, and account information" paths: @@ -10,24 +10,21 @@ paths: details: what: | - Google Drive Desktop Client stores synchronization configuration including sync folder - locations, account authentication data, selective sync preferences, bandwidth settings, - and file stream configurations. Registry tracks installation paths, user accounts, - Google Workspace integration, backup settings, and Drive File Stream behavior for - comprehensive cloud storage management and file synchronization across devices. + Google Drive Desktop Client stores synchronization configuration including sync + folder locations, account authentication data, selective sync preferences, bandwidth + settings, and file stream configurations. Registry tracks installation paths, + user accounts, and Google Workspace integration. forensic_value: | - Critical for investigating data exfiltration through Google Drive, unauthorized file - sharing to personal accounts, and intellectual property theft. Shows evidence of - Google Drive usage patterns, synced folder locations, account associations, and - potential data leakage vectors. Can reveal deliberate or accidental exposure of - sensitive corporate data through personal Google accounts and unauthorized synchronization. + Critical for investigating data exfiltration through Google Drive and unauthorized + file sharing to personal accounts. Shows evidence of Google Drive usage patterns, + synced folder locations, account associations, and potential data leakage vectors. + Can reveal exposure of sensitive corporate data through personal Google accounts. structure: | Google Drive configuration includes account identifiers, sync root paths, selective sync folder lists, bandwidth throttling settings, and Drive File Stream mounting - options. Installation data provides version information, update preferences, and - integration settings for comprehensive Google Drive behavior analysis. + options. Installation data provides version information and integration settings. examples: - "SyncRootPath: C:\\Users\\user\\Google Drive" @@ -43,11 +40,29 @@ details: description: "Built-in Google Drive configuration interface" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "Google Takeout" url: "https://takeout.google.com" description: "Google data export tool for comprehensive analysis" +limitations: + - "Registry shows configuration only, not actual files synced or shared" + - "Account presence doesn't prove active data synchronization occurred" + - "Selective sync settings may not reflect current folder selections" + - "Multiple account configurations may obscure actual usage patterns" + +correlation: + required_for_definitive_conclusions: + - "Google Drive sync logs and metadata files" + - "File system artifacts showing Google Drive folder contents" + - "Network traffic logs showing Google Drive API communications" + - "Google account activity logs from Google Admin Console" + + strengthens_evidence: + - "Timeline analysis of Google Drive folder file modifications" + - "User activity showing Google Drive application usage" + - "Gmail sharing notifications for Google Drive links" + metadata: windows_versions: - "Windows 7" @@ -57,13 +72,13 @@ metadata: - "Windows 11" introduced: "Google Drive Desktop (2021)" - - criticality: "medium" + criticality: "high" investigation_types: - "data-exfiltration" - "insider-threat" - "behavioral-analysis" + - "incident-response" tags: - "google-drive" @@ -71,7 +86,6 @@ metadata: - "data-sync" - "file-sharing" - "google-workspace" - - "data-exfiltration" references: - title: "Google Drive Desktop Documentation" @@ -84,7 +98,6 @@ metadata: volatility: "Sync activity provides ongoing data movement intelligence" related_artifacts: - - "browser_downloads" - "recent_documents" - "file_access_history" @@ -96,4 +109,4 @@ author: contribution: date_added: "2025-06-08" last_updated: "2025-06-08" - version: "1.0" + version: "3.0" diff --git a/artifacts/cloud/icloud.yml b/artifacts/user-behaviour/icloud.yml similarity index 68% rename from artifacts/cloud/icloud.yml rename to artifacts/user-behaviour/icloud.yml index d79eac9..b826a44 100644 --- a/artifacts/cloud/icloud.yml +++ b/artifacts/user-behaviour/icloud.yml @@ -1,5 +1,5 @@ title: "iCloud for Windows Client" -category: "cloud" +category: "user-behaviour" description: "iCloud for Windows configuration, Apple ID integration, and sync settings" paths: @@ -12,22 +12,20 @@ details: what: | iCloud for Windows enables synchronization between Windows computers and Apple's iCloud services including iCloud Drive, Photos, Mail, Contacts, Calendar, and - Bookmarks. Registry stores Apple ID authentication, sync preferences, storage - locations, and integration settings for seamless data sharing between Windows - and Apple ecosystem devices including iPhone, iPad, and Mac computers. + Bookmarks. Registry stores Apple ID authentication, sync preferences, and + storage locations for data sharing between Windows and Apple devices. forensic_value: | Important for investigating data synchronization between Windows systems and Apple devices, cross-platform data exfiltration, and unauthorized access to Apple - ecosystem data. Shows evidence of iCloud usage, Apple ID associations, synced - content types, and potential data leakage between corporate Windows systems and - personal Apple devices through iCloud synchronization. + ecosystem data. Shows evidence of iCloud usage and potential data leakage + between corporate Windows systems and personal Apple devices. structure: | iCloud configuration includes Apple ID credentials, sync service enablement (Drive, Photos, Mail, Contacts, Calendar), storage locations, and device associations. Integration settings control Windows Explorer and Outlook - synchronization with iCloud services for comprehensive cross-platform data management. + synchronization with iCloud services. examples: - "AppleID: user@icloud.com (Associated Apple ID)" @@ -43,9 +41,25 @@ details: description: "Built-in iCloud configuration and sync management" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Apple ID Account Management" - description: "Apple's account and device management portal" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows configuration only, not actual synced content or activity" + - "Enabled services don't prove active synchronization occurred" + - "Apple ID presence doesn't indicate frequency or volume of data sync" + - "Cross-platform sync may bypass traditional Windows logging" + +correlation: + required_for_definitive_conclusions: + - "iCloud Drive files and folders in Windows file system" + - "Apple device logs showing sync activity" + - "Network traffic logs showing iCloud communication" + - "Apple ID account activity logs from Apple" + + strengthens_evidence: + - "Timeline analysis of iCloud folder file modifications" + - "User activity showing iCloud application usage" + - "Mobile device connection artifacts" metadata: windows_versions: @@ -56,13 +70,12 @@ metadata: - "Windows 11" introduced: "iCloud for Windows" - criticality: "medium" investigation_types: - "data-exfiltration" - "behavioral-analysis" - - "timeline-analysis" + - "insider-threat" tags: - "icloud" @@ -84,8 +97,7 @@ metadata: related_artifacts: - "mobile_sync" - - "cross_platform_data" - - "cloud_integration" + - "file_associations" author: name: "Tonmoy Jitu" @@ -95,4 +107,4 @@ author: contribution: date_added: "2025-06-08" last_updated: "2025-06-08" - version: "1.0" + version: "3.0" diff --git a/artifacts/user-activity/jump_lists.yml b/artifacts/user-behaviour/jump_lists.yml similarity index 62% rename from artifacts/user-activity/jump_lists.yml rename to artifacts/user-behaviour/jump_lists.yml index 0dbff52..69502fa 100644 --- a/artifacts/user-activity/jump_lists.yml +++ b/artifacts/user-behaviour/jump_lists.yml @@ -1,6 +1,6 @@ title: "Jump Lists and Taskbar Recent Items" -category: "user-activity" -description: "Taskbar jump list configuration, recent items tracking, and privacy settings for application shortcuts" +category: "user-behaviour" +description: "Taskbar jump list configuration, recent items tracking, and privacy settings" paths: - "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" @@ -9,20 +9,20 @@ paths: details: what: | - Windows Jump Lists display recently accessed files, frequent destinations, and custom tasks for - applications pinned to the taskbar and Start menu. Registry settings control jump list behavior, - recent items tracking, privacy configurations, and the maximum number of items displayed. + Windows Jump Lists display recently accessed files, frequent destinations, and custom tasks + for applications pinned to the taskbar and Start menu. Registry settings control jump list + behavior, recent items tracking, and privacy configurations. forensic_value: | Jump list registry settings reveal if users disabled activity tracking to hide their behavior, shows privacy-conscious modifications, and indicates attempts to conceal file access patterns. While actual jump list data is stored in files, registry settings show configuration changes - that affect evidence preservation and user privacy choices during investigations. + that affect evidence preservation. structure: | Advanced Explorer settings include Start_TrackDocs (document tracking), Start_TrackProgs - (program tracking), JumpListItems_Maximum (item limits), Start_ShowRecentDocs (recent docs), - and TaskbarGlomLevel (taskbar grouping). Values stored as REG_DWORD with 1=enabled, 0=disabled. + (program tracking), JumpListItems_Maximum (item limits), and Start_ShowRecentDocs (recent docs). + Values stored as REG_DWORD with 1=enabled, 0=disabled. examples: - "Start_TrackDocs: 0 (Recent documents tracking disabled)" @@ -45,6 +45,28 @@ details: - name: "Taskbar and Start Menu Properties" description: "Windows built-in privacy settings configuration" +limitations: + - "Jump list settings do NOT show what files or programs were actually accessed" + - "Disabled tracking doesn't prevent all activity logging by other Windows components" + - "Configuration changes don't indicate when actual jump list usage occurred" + - "Privacy settings may be overridden by group policy or system administrators" + - "Maximum item settings don't show actual jump list contents or usage" + - "Tracking disablement may not be user-initiated (could be system default)" + - "Settings don't reveal the effectiveness of privacy attempts" + +correlation: + required_for_definitive_usage_proof: + - "Jump list files showing actual recently accessed items and applications" + - "Process execution logs showing applications that would populate jump lists" + - "File system artifacts showing document access correlating with jump list settings" + - "Windows Event Logs showing application launch patterns" + + strengthens_evidence: + - "Recent documents registry entries showing file access despite disabled tracking" + - "ShellBags showing folder navigation correlating with jump list preferences" + - "UserAssist entries showing program execution despite disabled program tracking" + - "OpenSaveMRU entries showing file operations independent of jump list settings" + metadata: windows_versions: - "Windows 7" @@ -54,12 +76,12 @@ metadata: - "Windows 11" introduced: "Windows 7" - criticality: "medium" investigation_types: - "behavioral-analysis" - "timeline-analysis" + - "anti-forensics" tags: - "jump-lists" @@ -96,5 +118,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/microsoft_store.yml b/artifacts/user-behaviour/microsoft_store.yml similarity index 63% rename from artifacts/user-activity/microsoft_store.yml rename to artifacts/user-behaviour/microsoft_store.yml index 725ad67..de0eb3e 100644 --- a/artifacts/user-activity/microsoft_store.yml +++ b/artifacts/user-behaviour/microsoft_store.yml @@ -1,5 +1,5 @@ title: "Microsoft Store and UWP Applications" -category: "user-activity" +category: "user-behaviour" description: "Universal Windows Platform app packages, Store configuration, and modern application management" paths: @@ -11,22 +11,20 @@ paths: details: what: | Microsoft Store and Universal Windows Platform (UWP) application ecosystem including installed - app packages, package registrations, Store configuration settings, app container security - configurations, and sideloading permissions. Manages modern Windows application deployment, - updates, licensing, and sandboxed execution environment for enhanced security and user experience. + app packages, package registrations, Store configuration settings, and app container security + configurations. Manages modern Windows application deployment, updates, and licensing. forensic_value: | Critical for analyzing modern app usage patterns, identifying sideloaded applications that - bypass Store security mechanisms, detecting unauthorized app installations, and investigating - app-based data exfiltration or malicious activities. Shows evidence of enterprise app deployments, - developer mode enabling, and potential security bypasses through sideloading or app container - escape techniques used by sophisticated attackers. + bypass Store security mechanisms, and detecting unauthorized app installations. Shows evidence + of enterprise app deployments, developer mode enabling, and potential security bypasses through + sideloading or app container escape techniques. structure: | Package registration data organized by package full names including publisher information, - installation paths, security descriptors, and app capabilities. Store configuration includes - installation policies, update settings, and purchase restrictions. AppX deployment information - contains package metadata, installation locations, and app container security configurations. + installation paths, and security descriptors. Store configuration includes installation + policies and update settings. AppX deployment information contains package metadata and + app container security configurations. examples: - "Package\\Microsoft.WindowsCalculator_10.2103.8.0_x64__8wekyb3d8bbwe: Calculator app package" @@ -50,6 +48,28 @@ details: - name: "Windows Package Manager (winget)" description: "Command-line package management tool" +limitations: + - "App package registration does NOT prove applications were actually used or executed" + - "Store configuration doesn't indicate successful app installations or updates" + - "Package metadata doesn't show application launch frequency or usage patterns" + - "Developer mode settings don't prove sideloading actually occurred" + - "App container configurations don't indicate security bypass attempts" + - "Installation paths don't show application execution or user interaction" + - "Package versions don't indicate when apps were last used or accessed" + +correlation: + required_for_definitive_usage_proof: + - "Process execution logs showing UWP applications actually running" + - "Windows Event Logs showing app launch and usage activity" + - "File system artifacts showing app data creation and user interaction" + - "UserAssist entries showing UWP application execution statistics" + + strengthens_evidence: + - "Recent documents showing files created or accessed by UWP applications" + - "Registry keys modified by UWP apps during execution" + - "Jump Lists showing UWP application usage patterns" + - "Network connections initiated by UWP applications" + metadata: windows_versions: - "Windows 8" @@ -62,12 +82,12 @@ metadata: - "Windows Server 2022" introduced: "Windows 8" - criticality: "medium" investigation_types: - "behavioral-analysis" - "data-exfiltration" + - "malware-analysis" tags: - "microsoft-store" @@ -104,5 +124,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/search_history.yml b/artifacts/user-behaviour/search_history.yml similarity index 65% rename from artifacts/user-activity/search_history.yml rename to artifacts/user-behaviour/search_history.yml index fe91016..ff27609 100644 --- a/artifacts/user-activity/search_history.yml +++ b/artifacts/user-behaviour/search_history.yml @@ -1,6 +1,6 @@ title: "Windows Search Index and Configuration" -category: "user-activity" -description: "Windows Search service configuration, indexed locations, search preferences, and indexing behavior" +category: "user-behaviour" +description: "Windows Search service configuration, indexed locations, and search preferences" paths: - "HKLM\\SOFTWARE\\Microsoft\\Windows Search" @@ -11,23 +11,21 @@ paths: details: what: | - Windows Search service maintains comprehensive configuration for file indexing, search behavior, - crawl scope management, and search preferences. Controls which files and locations are searchable, - file type filters, search result preferences, privacy settings, and indexing service behavior - for both local and network resources. + Windows Search service maintains comprehensive configuration for file indexing, search + behavior, crawl scope management, and search preferences. Controls which files and locations + are searchable, file type filters, search result preferences, and privacy settings for + both local and network resources. forensic_value: | Critical for understanding user search patterns, data access intentions, and information-seeking - behavior. Shows what locations were indexed for search capabilities, reveals search preferences - that might indicate user intent to hide or find specific data types, and provides insights - into file access patterns through search functionality. Configuration changes may indicate - attempts to hide data from search or expand search capabilities for data discovery. + behavior. Shows what locations were indexed for search capabilities and reveals search + preferences that might indicate user intent to hide or find specific data types. Configuration + changes may indicate attempts to hide data from search. structure: | Search configuration includes indexed location rules (CrawlScopeManager), file type filters, - search preferences, service status, and privacy settings. CrawlScopeManager contains inclusion - and exclusion rules with scope definitions for local drives, network paths, and specific - folders. Preferences control search behavior, history, and result display options. + search preferences, and privacy settings. CrawlScopeManager contains inclusion and exclusion + rules with scope definitions for local drives, network paths, and specific folders. examples: - "IndexedLocations: C:\\Users\\user\\Documents" @@ -52,6 +50,28 @@ details: - name: "Windows Search Configuration Analyzer" description: "Third-party tools for comprehensive search settings analysis" +limitations: + - "Search configuration does NOT prove search functionality was actually used" + - "Indexed locations don't indicate files were searched for or found" + - "Privacy settings don't show what search queries were made" + - "Excluded paths don't prove files were hidden intentionally" + - "Indexing service status doesn't indicate search activity occurred" + - "File type filters don't show specific files were indexed or searched" + - "Network indexing settings don't prove network resources were accessed" + +correlation: + required_for_definitive_usage_proof: + - "Windows Search index files showing actual indexed content" + - "Event logs showing search service activity and query processing" + - "WordWheelQuery registry entries showing actual search terms" + - "Process execution logs showing Windows Search service activity" + + strengthens_evidence: + - "Recent documents showing files that match indexed locations" + - "File system access logs showing activity in indexed directories" + - "Application usage patterns correlating with search configuration" + - "Registry keys modified during search service configuration" + metadata: windows_versions: - "Windows Vista" @@ -67,7 +87,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Vista" - criticality: "medium" investigation_types: @@ -76,6 +95,7 @@ metadata: - "incident-response" - "timeline-analysis" - "insider-threat" + - "anti-forensics" tags: - "search" @@ -116,5 +136,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/vlc_player.yml b/artifacts/user-behaviour/vlc_player.yml similarity index 53% rename from artifacts/user-activity/vlc_player.yml rename to artifacts/user-behaviour/vlc_player.yml index 3750895..8721391 100644 --- a/artifacts/user-activity/vlc_player.yml +++ b/artifacts/user-behaviour/vlc_player.yml @@ -1,5 +1,5 @@ title: "VLC Media Player Usage and Media History" -category: "user-activity" +category: "user-behaviour" description: "VLC player configuration, recent media files, playlists, and playback history" paths: @@ -10,24 +10,22 @@ paths: details: what: | - VLC Media Player stores configuration including recent media files, playlists, - playback preferences, subtitle settings, and file associations. Registry tracks - media consumption patterns, network streaming usage, codec preferences, and - interface customizations for comprehensive media player behavior analysis - and user media consumption activity tracking. + VLC Media Player stores configuration including recent media files, playlists, playback + preferences, subtitle settings, and file associations. Registry tracks media consumption + patterns, network streaming usage, codec preferences, and interface customizations for + comprehensive media player behavior analysis. forensic_value: | - Important for investigating media consumption patterns, potential copyright - violations, network streaming activity, and evidence of specific media file - access. Shows evidence of video/audio content consumption, network media - streaming, and can reveal timeline information about user media activities. - Useful for behavioral analysis and establishing user presence/activity patterns. + Important for investigating media consumption patterns, potential copyright violations, + network streaming activity, and evidence of specific media file access. Shows evidence + of video/audio content consumption, network media streaming, and can reveal timeline + information about user media activities. Useful for behavioral analysis. structure: | - VLC configuration includes recent media lists, interface preferences, codec - settings, network stream URLs, subtitle configurations, and file association - data. Recent items show media file paths, network streams, and access timestamps - for comprehensive media consumption analysis and user behavior profiling. + VLC configuration includes recent media lists, interface preferences, codec settings, + network stream URLs, subtitle configurations, and file association data. Recent items + show media file paths, network streams, and access timestamps for comprehensive media + consumption analysis and user behavior profiling. examples: - "RecentMRL: file:///C:/Users/user/Videos/suspicious_video.mp4" @@ -46,6 +44,28 @@ details: - name: "Media Forensics Tools" description: "Specialized tools for media file analysis and metadata extraction" +limitations: + - "VLC configuration does NOT prove media files were actually played or viewed" + - "Recent media lists don't indicate successful media playback or completion" + - "Network stream URLs don't prove streams were accessed or viewed" + - "Codec settings don't show media content was successfully decoded or played" + - "File associations don't indicate media files were opened through VLC" + - "Playlist settings don't prove playlists were created or used" + - "Interface preferences don't show active media consumption occurred" + +correlation: + required_for_definitive_usage_proof: + - "Media files showing actual playback activity or access times" + - "Process execution logs showing VLC application startup and media processing" + - "Network traffic logs showing media streaming activity" + - "File system access logs showing media file operations" + + strengthens_evidence: + - "Recent documents showing media files accessed outside VLC" + - "Registry keys modified during media playback operations" + - "Thumbnail cache entries showing media file previews" + - "ShellBags showing folder navigation to media file locations" + metadata: windows_versions: - "Windows XP" @@ -95,5 +115,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/voice_recorder.yml b/artifacts/user-behaviour/voice_recorder.yml similarity index 52% rename from artifacts/user-activity/voice_recorder.yml rename to artifacts/user-behaviour/voice_recorder.yml index b30858f..83fda09 100644 --- a/artifacts/user-activity/voice_recorder.yml +++ b/artifacts/user-behaviour/voice_recorder.yml @@ -1,5 +1,5 @@ title: "Voice Recorder Application Activity" -category: "user-activity" +category: "user-behaviour" description: "Windows Voice Recorder usage, recording locations, and audio capture settings" paths: @@ -9,24 +9,22 @@ paths: details: what: | - Windows Voice Recorder application stores configuration data including recording - quality settings, file save locations, application preferences, and usage statistics. - Registry tracks app positioning, window states, recently used settings, and - integration preferences for audio recording functionality built into Windows - for voice memos, interviews, and audio capture purposes. + Windows Voice Recorder application stores configuration data including recording quality + settings, file save locations, application preferences, and usage statistics. Registry + tracks app positioning, window states, recently used settings, and integration preferences + for audio recording functionality built into Windows. forensic_value: | - Provides evidence of audio recording activity that could indicate surveillance, - interview recording, voice memo creation, or audio evidence capture. Shows - usage patterns, recording preferences, and potential evidence of covert recording - activities. Can reveal user behavior related to audio documentation, meeting - recording, or evidence preservation activities during investigations. + Provides evidence of audio recording activity that could indicate surveillance, interview + recording, voice memo creation, or audio evidence capture. Shows usage patterns, recording + preferences, and potential evidence of covert recording activities. Can reveal user behavior + related to audio documentation or evidence preservation. structure: | - SoundRecorder entries include recording quality preferences, default save - locations, application window positioning, and recent file access patterns. - ApplicationFrame data tracks window positions and application state information. - UWP app registration contains installation and permission data. + SoundRecorder entries include recording quality preferences, default save locations, + application window positioning, and recent file access patterns. ApplicationFrame data + tracks window positions and application state information. UWP app registration contains + installation and permission data. examples: - "LastOpenedFile: C:\\Users\\user\\Documents\\Recording.m4a" @@ -44,6 +42,28 @@ details: - name: "Audio Forensics Tools" description: "Specialized tools for audio file analysis and metadata extraction" +limitations: + - "Voice Recorder configuration does NOT prove audio recordings were actually made" + - "Quality settings don't indicate successful recording operations occurred" + - "Save locations don't show audio files were created or stored" + - "Application positioning doesn't prove the app was actively used" + - "Recent file entries don't indicate recordings were played or accessed" + - "Auto-save settings don't show automatic recording functionality was used" + - "Permission data doesn't prove microphone access was granted or used" + +correlation: + required_for_definitive_recording_proof: + - "Audio files showing actual recordings created by Voice Recorder" + - "Process execution logs showing Voice Recorder application startup and activity" + - "File system artifacts showing audio file creation and storage" + - "Windows Event Logs showing microphone access and usage" + + strengthens_evidence: + - "Recent documents showing audio files created during Voice Recorder usage" + - "Registry keys modified during recording operations" + - "File system timestamps showing audio file creation correlating with app usage" + - "Privacy settings showing microphone permissions granted to Voice Recorder" + metadata: windows_versions: - "Windows 8" @@ -52,11 +72,11 @@ metadata: - "Windows 11" introduced: "Windows 8" - criticality: "medium" investigation_types: - "behavioral-analysis" + - "incident-response" tags: - "voice-recorder" @@ -88,5 +108,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/windows_spotlight.yml b/artifacts/user-behaviour/windows_spotlight.yml similarity index 53% rename from artifacts/user-activity/windows_spotlight.yml rename to artifacts/user-behaviour/windows_spotlight.yml index d63a1af..713a502 100644 --- a/artifacts/user-activity/windows_spotlight.yml +++ b/artifacts/user-behaviour/windows_spotlight.yml @@ -1,5 +1,5 @@ title: "Windows Spotlight and Lock Screen Data" -category: "user-activity" +category: "user-behaviour" description: "Lock screen personalization, Windows Spotlight content, and user interaction tracking" paths: @@ -10,24 +10,22 @@ paths: details: what: | - Windows Spotlight manages lock screen background images, suggested content, tips and - tricks, app suggestions, and personalization features. Registry tracks user interactions - with spotlight content, downloaded image metadata, content preferences, and engagement - metrics. Controls automatic content updates, cloud-sourced backgrounds, and - personalized recommendations based on user behavior patterns. + Windows Spotlight manages lock screen background images, suggested content, tips and tricks, + app suggestions, and personalization features. Registry tracks user interactions with + spotlight content, downloaded image metadata, content preferences, and engagement metrics. + Controls automatic content updates and cloud-sourced backgrounds. forensic_value: | - Reveals user behavior patterns, content interaction history, and system usage - characteristics. Shows evidence of user engagement with system features, potential - indicators of user presence and activity, and timeline information for system - access patterns. Can indicate user preferences, system interaction levels, and - provide context for user behavior analysis during investigations. + Reveals user behavior patterns, content interaction history, and system usage characteristics. + Shows evidence of user engagement with system features, potential indicators of user presence + and activity, and timeline information for system access patterns. Can indicate user + preferences and provide context for user behavior analysis. structure: | - ContentDeliveryManager contains feature enablement flags, content subscription - settings, interaction counters, and download preferences. Lock Screen entries - include image sources, update frequencies, and user customization preferences. - Binary values track engagement metrics and content delivery statistics. + ContentDeliveryManager contains feature enablement flags, content subscription settings, + interaction counters, and download preferences. Lock Screen entries include image sources, + update frequencies, and user customization preferences. Binary values track engagement + metrics and content delivery statistics. examples: - "RotatingLockScreenEnabled: 1 (Windows Spotlight enabled)" @@ -46,13 +44,34 @@ details: - name: "Group Policy Editor" description: "Enterprise control over Windows Spotlight and content delivery" +limitations: + - "Spotlight configuration does NOT prove content was actually viewed or interacted with" + - "Enabled features don't indicate user engagement or attention to spotlight content" + - "Content subscriptions don't show content was downloaded or displayed" + - "Lock screen settings don't prove user saw or interacted with lock screen images" + - "App suggestions don't indicate suggested apps were installed or used" + - "Tips and tricks settings don't show tips were read or followed" + - "Interaction counters may reflect automatic system behavior rather than user action" + +correlation: + required_for_definitive_interaction_proof: + - "Spotlight image cache files showing downloaded content" + - "Windows Event Logs showing user logon/logoff activity at lock screen" + - "Network traffic logs showing content downloads from Microsoft servers" + - "User interface interaction logs showing lock screen engagement" + + strengthens_evidence: + - "User account activity showing lock screen interaction patterns" + - "System personalization settings showing user customization preferences" + - "Application installation logs correlating with app suggestions" + - "File system artifacts showing Spotlight content storage and access" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Windows 10" - criticality: "low" investigation_types: @@ -89,5 +108,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/user-activity/wordwheel_query.yml b/artifacts/user-behaviour/wordwheel_query.yml similarity index 74% rename from artifacts/user-activity/wordwheel_query.yml rename to artifacts/user-behaviour/wordwheel_query.yml index 54c630f..bf42d4d 100644 --- a/artifacts/user-activity/wordwheel_query.yml +++ b/artifacts/user-behaviour/wordwheel_query.yml @@ -1,5 +1,5 @@ title: "Start Menu Search History (WordWheelQuery)" -category: "user-activity" +category: "user-behaviour" description: "Windows Start menu search queries, typed terms, and search autocomplete history" paths: @@ -17,13 +17,13 @@ details: system utilities users were searching for. Can show evidence of attempts to find specific tools for malicious purposes, searches for confidential information, administrative utilities, or attempts to locate and execute suspicious programs. Provides direct insight into user - behavior patterns and investigative leads for further analysis. + behavior patterns. structure: | Sequential numbered values (0, 1, 2, etc.) containing search terms as REG_SZ data. MRUListEx value shows search chronology with most recent searches listed first. Search terms persist across user sessions and system reboots, maintaining complete - search history until manually cleared or overwritten by new searches. + search history until manually cleared or overwritten. examples: - "0: cmd (Command Prompt search)" @@ -51,6 +51,28 @@ details: url: "https://www.nirsoft.net/utils/computer_activity_view.html" description: "Computer activity tracking including search history" +limitations: + - "Search queries do NOT prove search results were accessed or executed" + - "Search terms don't indicate successful application launch or file access" + - "Administrative tool searches don't prove system configuration was modified" + - "File searches don't show files were found, opened, or accessed" + - "Malicious-looking searches don't prove malicious activity occurred" + - "Query chronology doesn't indicate search result selection or usage" + - "Search history doesn't show search success or failure" + +correlation: + required_for_definitive_execution_proof: + - "Process execution logs showing programs launched after searches" + - "UserAssist entries showing application usage correlating with search terms" + - "Recent documents showing files accessed after file searches" + - "Run dialog history showing commands executed after searches" + + strengthens_evidence: + - "ShimCache entries showing program access attempts matching search queries" + - "Registry modifications correlating with administrative tool searches" + - "File system access logs showing activity after file searches" + - "OpenSaveMRU entries showing file operations correlating with search activity" + metadata: windows_versions: - "Windows Vista" @@ -61,7 +83,6 @@ metadata: - "Windows 11" introduced: "Windows Vista" - criticality: "high" investigation_types: @@ -69,6 +90,7 @@ metadata: - "malware-analysis" - "insider-threat" - "timeline-analysis" + - "program-execution" tags: - "search-history" @@ -110,5 +132,5 @@ author: contribution: date_added: "2025-01-15" - last_updated: "2025-01-15" - version: "2.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/execution/docker.yml b/artifacts/virtualization/docker.yml similarity index 57% rename from artifacts/execution/docker.yml rename to artifacts/virtualization/docker.yml index 60b3fcc..bdfe173 100644 --- a/artifacts/execution/docker.yml +++ b/artifacts/virtualization/docker.yml @@ -10,24 +10,19 @@ paths: details: what: | - Docker Desktop manages container development including container creation, - image management, volume mounting, and network configuration. Registry stores - installation settings, runtime preferences, resource allocations, and integration - configurations for comprehensive containerized development environment analysis - and modern application deployment workflow tracking. + Docker Desktop configuration for container development including container creation, + image management, volume mounting, and network configuration. Registry stores installation + settings, runtime preferences, and resource allocations. forensic_value: | - Important for investigating containerized application development, potential - isolation bypass attempts, container-based malware analysis, and modern - development workflows. Shows evidence of container usage, image downloads, - development environment setups, and can reveal container-based data exfiltration, - isolated development activities, and advanced development practices. + Important for investigating containerized application development, potential isolation bypass + attempts, and container-based malware analysis. Shows evidence of container usage, image downloads, + and can reveal container-based data exfiltration or isolated development activities. structure: | - Docker Desktop configuration includes installation paths, resource settings, - container runtime preferences, volume mount configurations, and network - settings. Container registry tracks image repositories, development workflows, - and containerization activities for comprehensive container platform analysis. + Docker Desktop configuration includes installation paths, resource settings, container runtime + preferences, volume mount configurations, and network settings. Container registry tracks + image repositories and development workflows. examples: - "InstallPath: C:\\Program Files\\Docker\\Docker\\Docker Desktop.exe" @@ -47,19 +42,39 @@ details: url: "https://ericzimmerman.github.io/#!index.md" description: "Advanced registry analysis and browsing tool" +limitations: + - "Docker registry configuration does NOT prove containers were created or executed" + - "Installation presence doesn't indicate active container development or deployment" + - "Resource allocation settings don't show what containers actually used resources" + - "File sharing configuration doesn't prove files were shared with containers" + - "Drive sharing settings don't indicate data was accessed from containers" + - "Kubernetes integration settings don't prove orchestration was used" + - "WSL2 backend configuration doesn't show Linux containers were run" + +correlation: + required_for_definitive_execution_proof: + - "Docker daemon logs showing container creation and execution" + - "Process execution logs showing docker.exe commands" + - "File system artifacts showing Docker images and container files" + - "Network logs showing container communication" + + strengthens_evidence: + - "WSL configuration artifacts for Docker backend" + - "Development tools artifacts showing container integration" + - "File modifications in shared directories indicating container access" + metadata: windows_versions: - "Windows 10" - "Windows 11" introduced: "Docker Desktop for Windows" - criticality: "medium" investigation_types: - - "malware-analysis" - "behavioral-analysis" - "incident-response" + - "anti-forensics" tags: - "docker" @@ -92,5 +107,5 @@ author: contribution: date_added: "2025-06-08" - last_updated: "2025-06-08" - version: "1.0" + last_updated: "2025-06-12" + version: "3.0" diff --git a/artifacts/virtualization/hyperv.yml b/artifacts/virtualization/hyperv.yml index b379e54..d7efa5d 100644 --- a/artifacts/virtualization/hyperv.yml +++ b/artifacts/virtualization/hyperv.yml @@ -10,24 +10,22 @@ paths: details: what: | - Windows virtualization infrastructure encompasses Hyper-V hypervisor configuration, virtual - machine management service settings, container runtime support, hardware virtualization - capabilities, and security features including Virtualization-Based Security (VBS) and - Device Guard. Controls hypervisor operation, VM isolation, container orchestration, - and virtualization-enhanced security mechanisms for enterprise and development environments. + Windows virtualization infrastructure includes Hyper-V hypervisor configuration, + virtual machine management service settings, container runtime support, and + security features including Virtualization-Based Security (VBS) and Device Guard. + Controls hypervisor operation, VM isolation, and virtualization-enhanced security. forensic_value: | - Critical for investigating virtualization-based attacks, VM escape attempts, container - security incidents, and virtualization technology abuse for malware evasion. Shows - evidence of virtual machine usage that could hide malicious activity, reveals virtualization - configurations that may facilitate advanced persistent threats, and indicates attempts - to bypass security controls through virtualization technologies. + Critical for investigating virtualization-based attacks, VM escape attempts, + container security incidents, and virtualization technology abuse for malware + evasion. Shows evidence of virtual machine usage that could hide malicious + activity and indicates attempts to bypass security controls through virtualization. structure: | - Virtualization configuration includes hypervisor enablement status, VM management service - settings, virtual switch configurations, security policy enforcement, and hardware - virtualization capabilities. DeviceGuard contains Virtualization-Based Security settings, - hypervisor-protected code integrity, and credential guard configurations for enhanced security. + Virtualization configuration includes hypervisor enablement status, VM management + service settings, virtual switch configurations, and security policy enforcement. + DeviceGuard contains Virtualization-Based Security settings, hypervisor-protected + code integrity, and credential guard configurations. examples: - "Virtualization\\HypervisorEnforced: 1 (Hypervisor-based security active)" @@ -46,11 +44,28 @@ details: description: "Windows feature enablement including Hyper-V and containers" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "PowerShell Hyper-V Module" description: "PowerShell cmdlets for Hyper-V management and analysis" - - name: "Virtual Machine Security Scanner" - description: "Tools for analyzing virtualization security configuration" + +limitations: + - "Registry shows feature enablement only, not actual VM creation or usage" + - "Hyper-V enabled doesn't prove virtual machines were actively used" + - "VBS settings show configuration, not actual security enforcement activity" + - "Service settings don't indicate VM management operations occurred" + +correlation: + required_for_definitive_conclusions: + - "Hyper-V event logs showing VM operations" + - "Virtual machine files (.vhd, .vhdx, .vmcx)" + - "Process execution logs showing vmms.exe activity" + - "File system artifacts showing VM storage locations" + - "Network logs showing virtual switch traffic" + + strengthens_evidence: + - "Timeline analysis of Hyper-V feature enablement" + - "User activity showing Hyper-V Manager usage" + - "Performance monitoring showing VM resource usage" metadata: windows_versions: @@ -65,7 +80,6 @@ metadata: - "Windows 11" introduced: "Windows Server 2008 (Hyper-V)" - criticality: "high" investigation_types: @@ -73,9 +87,9 @@ metadata: - "incident-response" - "behavioral-analysis" - "privilege-escalation" + - "anti-forensics" tags: - - "virtualization" - "hyper-v" - "containers" - "vm-security" @@ -101,10 +115,9 @@ metadata: volatility: "VM and container settings affect ongoing virtualization security posture" related_artifacts: + - "windows_containers" - "boot_configuration" - "security_policy" - - "hardware_devices" - - "performance_monitoring" author: name: "Tonmoy Jitu" @@ -114,4 +127,4 @@ author: contribution: date_added: "2025-01-15" last_updated: "2025-01-15" - version: "2.0" + version: "3.0" diff --git a/artifacts/virtualization/oracle_virtual_box.yml b/artifacts/virtualization/oracle_virtual_box.yml index 4936532..7283721 100644 --- a/artifacts/virtualization/oracle_virtual_box.yml +++ b/artifacts/virtualization/oracle_virtual_box.yml @@ -13,21 +13,19 @@ details: Oracle VirtualBox manages free desktop virtualization including virtual machine creation, hardware emulation, network configuration, and hypervisor management. Registry stores VM definitions, guest operating system configurations, shared - folder settings, snapshot management, and virtualization preferences for - comprehensive open-source virtualization platform analysis and virtual environment tracking. + folder settings, and snapshot management. forensic_value: | Critical for investigating virtual machine usage in security research, malware analysis, evidence isolation, and potential evasion techniques using free virtualization software. Shows evidence of VM creation, guest OS installations, - network isolation setups, and can indicate attempts to conceal activities - through virtualized environments or use VMs for malicious testing and analysis. + and network isolation setups that could conceal activities. structure: | VirtualBox configuration includes virtual machine registry data, guest additions status, network adapter settings, shared folder configurations, and snapshot - information. VM entries track hardware allocations, ISO mounting history, and - virtual device assignments for comprehensive VirtualBox usage analysis and security assessment. + information. VM entries track hardware allocations, ISO mounting history, + and virtual device assignments. examples: - "InstallDir: C:\\Program Files\\Oracle\\VirtualBox" @@ -46,9 +44,27 @@ details: description: "VirtualBox command-line management utility" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "VirtualBox Guest Additions" - description: "Enhanced VM integration and shared folder management" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows configuration only, not actual VM usage or guest OS activity" + - "Recent VM list doesn't prove virtual machines were actively used" + - "Shared folder mappings don't indicate actual file transfers occurred" + - "Guest additions presence doesn't prove VM integration was used" + - "Kali Linux VMs suggest penetration testing but don't prove malicious activity" + +correlation: + required_for_definitive_conclusions: + - "VirtualBox log files showing actual VM operations" + - "Virtual machine disk files (.vdi, .vmdk, .vhd)" + - "Process execution logs showing VirtualBox.exe activity" + - "File system artifacts in shared folder locations" + - "Network traffic logs showing VM communications" + + strengthens_evidence: + - "Timeline analysis of VM creation and configuration changes" + - "User activity showing VirtualBox Manager usage" + - "File operations in VM storage directories" metadata: windows_versions: @@ -61,18 +77,17 @@ metadata: - "Windows 11" introduced: "Oracle VirtualBox" - criticality: "medium" investigation_types: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "anti-forensics" tags: - "virtualbox" - "oracle" - - "virtualization" - "virtual-machines" - "free-hypervisor" - "isolation" @@ -89,13 +104,11 @@ metadata: retention: default_location: "Registry hive files (SOFTWARE, NTUSER.DAT)" persistence: "VM configurations and settings persist until manual deletion or software removal" - volatility: "Virtual machine usage patterns provide evidence of virtualization activities and security research" + volatility: "Virtual machine usage patterns provide evidence of virtualization activities" related_artifacts: - - "virtualization_settings" - - "vmware_workstation" - - "isolation_environments" - - "malware_analysis_tools" + - "vmware" + - "hyperv" author: name: "Tonmoy Jitu" @@ -105,4 +118,4 @@ author: contribution: date_added: "2025-06-08" last_updated: "2025-06-08" - version: "1.0" + version: "3.0" diff --git a/artifacts/virtualization/vmware.yml b/artifacts/virtualization/vmware.yml index e16ad52..3071480 100644 --- a/artifacts/virtualization/vmware.yml +++ b/artifacts/virtualization/vmware.yml @@ -12,22 +12,19 @@ details: what: | VMware Workstation and Player manage desktop virtualization including virtual machine creation, hardware configuration, network settings, and hypervisor - management. Registry stores VM configurations, licensing information, performance - settings, and virtual hardware preferences for comprehensive virtualization - platform analysis and virtual environment management tracking. + management. Registry stores VM configurations, licensing information, + performance settings, and virtual hardware preferences. forensic_value: | Critical for investigating virtual machine usage, potential evidence isolation, malware analysis environments, and sophisticated attack techniques using - virtualization. Shows evidence of VM creation, configuration changes, virtual - network setups, and can indicate attempts to hide activities through virtualization - or use of isolated environments for malicious purposes. + virtualization. Shows evidence of VM creation, configuration changes, + and virtual network setups that could hide activities. structure: | VMware configuration includes virtual machine paths, hardware settings, network configurations, licensing data, and performance preferences. VM registry entries - track virtual hardware assignments, snapshot locations, and isolation settings - for comprehensive virtualization behavior analysis and security assessment. + track virtual hardware assignments, snapshot locations, and isolation settings. examples: - "InstallPath: C:\\Program Files (x86)\\VMware\\VMware Workstation" @@ -43,9 +40,29 @@ details: description: "VMware virtualization management interface" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" + description: "Advanced registry analysis tool" - name: "VMware Tools" - description: "VMware virtual machine management and analysis utilities" + description: "VMware virtual machine management utilities" + +limitations: + - "Registry shows configuration only, not actual VM usage or guest OS activity" + - "Recent VM list doesn't prove virtual machines were actively used" + - "Shared folder settings don't indicate actual file sharing occurred" + - "VM inventory paths don't prove VMs were executed or contained malware" + - "Malware sandbox VMs suggest analysis but don't prove malicious activity" + +correlation: + required_for_definitive_conclusions: + - "VMware log files showing actual VM operations" + - "Virtual machine disk files (.vmdk, .vmx, .nvram)" + - "Process execution logs showing vmware.exe activity" + - "File system artifacts in VM storage directories" + - "Network traffic logs showing VM communications" + + strengthens_evidence: + - "Timeline analysis of VM creation and configuration changes" + - "User activity showing VMware application usage" + - "File operations in VM inventory directories" metadata: windows_versions: @@ -58,17 +75,16 @@ metadata: - "Windows 11" introduced: "VMware Workstation" - criticality: "medium" investigation_types: - "malware-analysis" - "incident-response" - "behavioral-analysis" + - "anti-forensics" tags: - "vmware" - - "virtualization" - "virtual-machines" - "hypervisor" - "isolation" @@ -85,9 +101,8 @@ metadata: volatility: "VM configuration changes provide evidence of virtualization usage patterns" related_artifacts: - - "virtualization_settings" - - "isolation_environments" - - "malware_analysis_tools" + - "oracle_virtual_box" + - "hyperv" author: name: "Tonmoy Jitu" diff --git a/artifacts/virtualization/windows_containers.yml b/artifacts/virtualization/windows_containers.yml index 7eb60ef..fb8ad79 100644 --- a/artifacts/virtualization/windows_containers.yml +++ b/artifacts/virtualization/windows_containers.yml @@ -10,25 +10,22 @@ paths: details: what: | - Windows container infrastructure encompasses Docker Desktop configuration, Windows container - runtime settings, container isolation policies, image management, networking configuration, - and security boundaries. Controls container execution environment, resource allocation, - network isolation, storage management, and container-to-host communication for modern - application deployment and microservices architecture. + Windows container infrastructure includes Docker Desktop configuration, Windows container + runtime settings, container isolation policies, image management, and networking + configuration. Controls container execution environment, resource allocation, + and security boundaries for modern application deployment. forensic_value: | - Critical for investigating containerized malware, container escape attempts, unauthorized - container deployments, and container-based data exfiltration. Shows evidence of container - usage that could hide malicious activity, reveals container configurations that may facilitate - advanced persistent threats, and indicates attempts to bypass security controls through - container isolation weaknesses or privilege escalation techniques. + Critical for investigating containerized malware, container escape attempts, + unauthorized container deployments, and container-based data exfiltration. + Shows evidence of container usage that could hide malicious activity and + indicates attempts to bypass security controls through container technologies. structure: | Container configuration includes runtime policies, isolation modes (process vs. Hyper-V), - network settings, storage drivers, security contexts, and resource constraints. Docker - Desktop settings control daemon configuration, experimental features, resource allocation, - and development environment preferences. Service configuration manages container runtime - behavior and system integration. + network settings, storage drivers, security contexts, and resource constraints. + Docker Desktop settings control daemon configuration, experimental features, + and resource allocation. examples: - "ContainerManager\\IsolationMode: 1 (Process isolation enabled)" @@ -47,11 +44,27 @@ details: description: "Docker command-line interface for container operations" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "Container Security Scanner" - description: "Tools for analyzing container security configuration and vulnerabilities" - - name: "Windows Container Host Analyzer" - description: "Utilities for examining Windows container host configuration" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows configuration only, not actual container deployments or activity" + - "Container settings don't prove malicious containers were actually run" + - "Experimental features may be enabled but not actively used" + - "Privileged access settings don't indicate actual privilege abuse" + - "Shared drive mappings don't prove data exfiltration occurred" + +correlation: + required_for_definitive_conclusions: + - "Docker daemon logs showing actual container operations" + - "Container images and running container processes" + - "File system artifacts showing container-related files" + - "Network traffic logs showing container communications" + - "Process execution logs showing Docker/containerd activity" + + strengthens_evidence: + - "Timeline analysis of container configuration changes" + - "User activity showing Docker Desktop usage" + - "File operations in shared drive mappings" metadata: windows_versions: @@ -62,7 +75,6 @@ metadata: - "Windows Server 2022" introduced: "Windows Server 2016" - criticality: "high" investigation_types: @@ -71,16 +83,15 @@ metadata: - "privilege-escalation" - "behavioral-analysis" - "lateral-movement" + - "anti-forensics" tags: - - "virtualization" - "containers" - "docker" - "container-security" - "isolation" - "runtime-security" - "container-escape" - - "microservices" references: - title: "Microsoft Documentation: Windows Containers" @@ -100,9 +111,7 @@ metadata: related_artifacts: - "hyperv" - - "virtualization_security" - - "docker_runtime" - - "container_networking" + - "windows_subsystem_linux" author: name: "Tonmoy Jitu" @@ -112,4 +121,4 @@ author: contribution: date_added: "2025-06-07" last_updated: "2025-06-07" - version: "1.0" + version: "3.0" diff --git a/artifacts/virtualization/windows_subsystem_linux.yml b/artifacts/virtualization/windows_subsystem_linux.yml index 112ac0d..027977a 100644 --- a/artifacts/virtualization/windows_subsystem_linux.yml +++ b/artifacts/virtualization/windows_subsystem_linux.yml @@ -10,23 +10,22 @@ paths: details: what: | - Windows Subsystem for Linux enables running Linux distributions natively on Windows through - compatibility layer technology. Registry configuration includes installed distributions, - default distribution settings, user mappings, file system interoperability, network - configuration, and development environment preferences for Linux development on Windows. + Windows Subsystem for Linux enables running Linux distributions natively on Windows + through compatibility layer technology. Registry configuration includes installed + distributions, default distribution settings, user mappings, file system + interoperability, and network configuration. forensic_value: | - Critical for investigating Linux-based attack tools, cross-platform malware, development - environment abuse, and sophisticated attacks that leverage Linux capabilities within Windows. - Shows evidence of Linux tool usage, script execution, container operations, and potential - security bypasses through Linux environment. Essential for advanced persistent threat - investigations involving cross-platform attack techniques. + Critical for investigating Linux-based attack tools, cross-platform malware, + development environment abuse, and sophisticated attacks that leverage Linux + capabilities within Windows. Shows evidence of Linux tool usage and potential + security bypasses through Linux environment. structure: | - WSL configuration includes DefaultDistribution (default Linux distro), installed distribution - metadata, user ID mappings, interoperability settings, and file system mount configurations. - Distribution entries contain installation paths, kernel versions, default user settings, - and distribution-specific configuration for comprehensive Linux environment management. + WSL configuration includes DefaultDistribution (default Linux distro), installed + distribution metadata, user ID mappings, interoperability settings, and file + system mount configurations. Distribution entries contain installation paths, + kernel versions, and default user settings. examples: - "DefaultDistribution: Ubuntu-20.04 (Default Linux distribution)" @@ -45,11 +44,27 @@ details: description: "Windows feature management including WSL enablement" - name: "Registry Explorer" url: "https://ericzimmerman.github.io/#!index.md" - description: "Advanced registry analysis and browsing tool" - - name: "WSL Configuration Manager" - description: "Third-party tools for WSL configuration analysis" - - name: "Linux Distribution Analyzer" - description: "Tools for analyzing installed Linux distributions and usage" + description: "Advanced registry analysis tool" + +limitations: + - "Registry shows installed distributions only, not actual Linux command execution" + - "Distribution presence doesn't prove Linux tools were actively used" + - "WSL configuration doesn't indicate specific commands or scripts run" + - "State values show installation status, not usage patterns or frequency" + - "Kali Linux installation suggests penetration testing but doesn't prove malicious activity" + +correlation: + required_for_definitive_conclusions: + - "WSL process execution logs showing actual Linux command activity" + - "Linux command history files within WSL distributions" + - "File system artifacts showing Linux tool execution" + - "Network traffic logs showing connections from WSL processes" + - "PowerShell or cmd logs showing wsl.exe invocations" + + strengthens_evidence: + - "Timeline analysis of WSL distribution installations" + - "User activity showing WSL command usage" + - "File operations between Windows and Linux file systems" metadata: windows_versions: @@ -59,7 +74,6 @@ metadata: - "Windows Server 2022" introduced: "Windows 10 Anniversary Update (2016)" - criticality: "high" investigation_types: @@ -67,9 +81,10 @@ metadata: - "incident-response" - "behavioral-analysis" - "lateral-movement" + - "anti-forensics" + - "privilege-escalation" tags: - - "virtualization" - "wsl" - "linux" - "cross-platform" @@ -85,9 +100,6 @@ metadata: - title: "WSL Security Considerations" url: "https://docs.microsoft.com/en-us/windows/wsl/wsl2-kernel" type: "official" - - title: "Linux-Windows Hybrid Attack Techniques" - url: "https://www.sans.org/white-papers/39847/" - type: "research" retention: default_location: "Registry hive files (SOFTWARE, NTUSER.DAT, SYSTEM)" @@ -97,8 +109,6 @@ metadata: related_artifacts: - "hyperv" - "windows_containers" - - "virtualization_security" - - "developer_tools" author: name: "Tonmoy Jitu" @@ -108,4 +118,4 @@ author: contribution: date_added: "2025-06-07" last_updated: "2025-06-07" - version: "1.0" + version: "3.0" diff --git a/scripts/build.py b/scripts/build.py index 92fc337..752295e 100644 --- a/scripts/build.py +++ b/scripts/build.py @@ -165,7 +165,7 @@ def build_site(): "statistics": stats, "total": len(valid_artifacts), "last_updated": datetime.now().isoformat(), - "version": "2.0.0", + "version": "1.0.0", "build_info": { "total_files_processed": len(artifacts), "valid_artifacts": len(valid_artifacts), diff --git a/scripts/robots.txt b/scripts/robots.txt new file mode 100644 index 0000000..80585d9 --- /dev/null +++ b/scripts/robots.txt @@ -0,0 +1,21 @@ +User-agent: * +Allow: / + + +# Block access to build files except the main artifacts.json +User-agent: * +Disallow: /build/ +Allow: /build/artifacts.json + +# Allow CSS and JS files +Allow: /css/ +Allow: /js/ + +# Block any temporary or development files +Disallow: /*.tmp$ +Disallow: /*.bak$ +Disallow: /*~$ +Disallow: /node_modules/ +Disallow: /.git/ +Disallow: /.github/ + diff --git a/scripts/validate.py b/scripts/validate.py index 69643c8..27dd4db 100644 --- a/scripts/validate.py +++ b/scripts/validate.py @@ -1,242 +1,607 @@ #!/usr/bin/env python3 """ -Validate artifact YAML files against the enhanced RegSeek schema +RegSeek Validation System v2.0 +Comprehensive validation of artifact YAML files against RegSeek standards """ import yaml import sys +import re from pathlib import Path -from jsonschema import validate, ValidationError +from typing import Dict, List, Any, Tuple, Optional +from datetime import datetime -# Enhanced schema for artifact validation -ARTIFACT_SCHEMA = { - "type": "object", - "required": ["title", "category", "description", "paths", "details"], - "properties": { - "title": {"type": "string", "minLength": 5}, - "category": { - "type": "string", - "enum": [ - "execution", "network", "usb", "user-activity", "persistence", - "system", "security", "cloud", "browser", "malware", "mobile", - "virtualization", "communication" - ] - }, - "description": {"type": "string", "minLength": 10}, - "paths": { - "type": "array", - "items": {"type": "string", "pattern": "^HK(LM|CU|CR|U|CC)\\\\"}, - "minItems": 1 - }, - "details": { - "type": "object", - "required": ["what", "forensic_value", "structure", "examples", "tools"], - "properties": { - "what": {"type": "string", "minLength": 20}, - "forensic_value": {"type": "string", "minLength": 20}, - "structure": {"type": "string", "minLength": 10}, - "examples": { - "type": "array", - "items": {"type": "string"}, - "minItems": 1 - }, - "tools": { - "type": "array", - "items": { - "type": "object", - "required": ["name"], - "properties": { - "name": {"type": "string"}, - "url": {"type": "string", "format": "uri"}, - "description": {"type": "string"} - } - }, - "minItems": 1 - } - } - }, - "metadata": { - "type": "object", - "properties": { - "windows_versions": { - "type": "array", - "items": {"type": "string"} - }, - "introduced": {"type": "string"}, - "deprecated": {"type": "string"}, - "criticality": { - "type": "string", - "enum": ["high", "medium", "low"] - }, - "investigation_types": { - "type": "array", - "items": { - "type": "string", - "enum": [ - "malware-analysis", "data-exfiltration", "insider-threat", - "incident-response", "timeline-analysis", "privilege-escalation", - "lateral-movement", "persistence-analysis", "behavioral-analysis" - ] - } - }, - "tags": { - "type": "array", - "items": {"type": "string"} - }, - "references": { - "type": "array", - "items": { - "type": "object", - "required": ["title"], - "properties": { - "title": {"type": "string"}, - "url": {"type": "string", "format": "uri"}, - "type": { - "type": "string", - "enum": ["official", "research", "blog", "tool"] - } - } - } - }, - "retention": { - "type": "object", - "properties": { - "default_location": {"type": "string"}, - "persistence": {"type": "string"}, - "volatility": {"type": "string"} - } - }, - "related_artifacts": { - "type": "array", - "items": {"type": "string"} - } - } - }, - "author": { - "type": "object", - "properties": { - "name": {"type": "string"}, - "github": {"type": "string"}, - "x": {"type": "string"}, - "email": {"type": "string", "format": "email"}, - "organization": {"type": "string"} - } - }, - "contribution": { - "type": "object", - "properties": { - "date_added": {"type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}$"}, - "last_updated": {"type": "string", "pattern": "^\\d{4}-\\d{2}-\\d{2}$"}, - "version": {"type": "string"}, - "reviewed_by": {"type": "string"} - } +# Configuration Constants +VALID_CATEGORIES = [ + "program-execution", "browser-activity", "file-operations", "user-behaviour", + "external-storage", "persistence-methods", "system-modifications", "network-infrastructure", + "remote-access", "security-monitoring", "communication-apps", "virtualization", "authentication" +] + +PRIORITY_CATEGORIES = [ + "program-execution", "browser-activity", "file-operations", "user-behaviour", + "persistence-methods", "system-modifications", "network-infrastructure", "security-monitoring" +] + +VALID_INVESTIGATION_TYPES = [ + # Investigation Phases + "incident-response", "malware-analysis", "timeline-analysis", "behavioral-analysis", "insider-threat", + # Attack Techniques + "initial-access", "program-execution", "persistence-analysis", "privilege-escalation", + "credential-theft", "lateral-movement", "remote-access", "data-exfiltration", "anti-forensics" +] + +VALID_CRITICALITY_LEVELS = ["high", "medium", "low"] + +VALID_REGISTRY_PREFIXES = ["HKLM\\", "HKCU\\", "HKCR\\", "HKU\\", "HKCC\\"] + +VALID_REFERENCE_TYPES = ["official", "research", "blog", "tool"] + +# Validation Rules +MIN_TITLE_LENGTH = 5 +MIN_DESCRIPTION_LENGTH = 10 +MIN_DETAILED_FIELD_LENGTH = 20 +DATE_PATTERN = re.compile(r'^\d{4}-\d{2}-\d{2}$') +EMAIL_PATTERN = re.compile(r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$') +URL_PATTERN = re.compile(r'^https?://[^\s<>"{}|\\^`\[\]]+$') + +class ValidationResult: + """Store validation results""" + def __init__(self, file_path: str): + self.file_path = file_path + self.is_valid = True + self.errors = [] + self.warnings = [] + self.recommendations = [] + + def add_error(self, message: str): + """Add validation error""" + self.errors.append(message) + self.is_valid = False + + def add_warning(self, message: str): + """Add validation warning""" + self.warnings.append(message) + + def add_recommendation(self, message: str): + """Add recommendation for improvement""" + self.recommendations.append(message) + +class ArtifactValidator: + """Comprehensive artifact validator""" + + def __init__(self): + self.results = [] + + def validate_required_fields(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate required top-level fields""" + required_fields = { + 'title': str, + 'category': str, + 'description': str, + 'paths': (list, str) # Can be list or string } - } -} + + for field, expected_type in required_fields.items(): + if field not in artifact: + result.add_error(f"Missing required field: '{field}'") + continue + + value = artifact[field] + if not isinstance(value, expected_type): + result.add_error(f"Field '{field}' must be {expected_type.__name__}, got {type(value).__name__}") + continue + + # String length validation + if isinstance(value, str): + if field == 'title' and len(value) < MIN_TITLE_LENGTH: + result.add_error(f"Title must be at least {MIN_TITLE_LENGTH} characters, got {len(value)}") + elif field == 'description' and len(value) < MIN_DESCRIPTION_LENGTH: + result.add_error(f"Description must be at least {MIN_DESCRIPTION_LENGTH} characters, got {len(value)}") + elif not value.strip(): + result.add_error(f"Field '{field}' cannot be empty") + + def validate_category(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate category field""" + category = artifact.get('category') + if not category: + return + + if category not in VALID_CATEGORIES: + result.add_error(f"Invalid category '{category}'. Must be one of: {', '.join(VALID_CATEGORIES)}") + return + + # Check if it's a priority category + if category in PRIORITY_CATEGORIES: + result.add_recommendation(f"Category '{category}' is a priority category (appears in quick filters)") + + def validate_paths(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate registry paths""" + paths = artifact.get('paths') + if not paths: + return + + # Convert single path to list + if isinstance(paths, str): + paths = [paths] + + if not isinstance(paths, list) or len(paths) == 0: + result.add_error("Paths must be a non-empty list or string") + return + + valid_hives = set() + for i, path in enumerate(paths): + if not isinstance(path, str): + result.add_error(f"Path {i+1} must be a string, got {type(path).__name__}") + continue + + if not path.strip(): + result.add_error(f"Path {i+1} cannot be empty") + continue + + # Check registry path format + path_valid = False + for prefix in VALID_REGISTRY_PREFIXES: + if path.startswith(prefix): + path_valid = True + valid_hives.add(prefix.rstrip('\\')) + break + + if not path_valid: + result.add_warning(f"Path may not be valid registry path: '{path}'") + result.add_recommendation(f"Registry paths should start with: {', '.join(VALID_REGISTRY_PREFIXES)}") + + # Add recommendation about hive diversity + if len(valid_hives) > 1: + result.add_recommendation(f"Artifact spans multiple registry hives: {', '.join(sorted(valid_hives))}") + + def validate_details_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate details section (recommended)""" + details = artifact.get('details', {}) + + if not details: + result.add_warning("Missing 'details' section (recommended)") + return + + # Check for detailed explanations + detail_fields = { + 'what': 'explanation of what Windows stores', + 'forensic_value': 'forensic significance explanation', + 'structure': 'data format and structure description' + } + + for field, description in detail_fields.items(): + value = details.get(field) + if not value: + result.add_warning(f"Missing details.{field} ({description})") + elif isinstance(value, str) and len(value.strip()) < MIN_DETAILED_FIELD_LENGTH: + result.add_warning(f"details.{field} should be more detailed (at least {MIN_DETAILED_FIELD_LENGTH} characters)") + + # Check examples + examples = details.get('examples') + if not examples: + result.add_warning("Missing details.examples (recommended)") + elif isinstance(examples, list) and len(examples) == 0: + result.add_warning("Examples list is empty") + elif not isinstance(examples, list): + result.add_warning("Examples should be a list of strings") + + # Check tools + tools = details.get('tools') + if not tools: + result.add_warning("Missing details.tools (recommended)") + elif isinstance(tools, list): + self.validate_tools(tools, result) + else: + result.add_warning("Tools should be a list") + + def validate_tools(self, tools: List[Any], result: ValidationResult): + """Validate tools list""" + if len(tools) == 0: + result.add_warning("Tools list is empty") + return + + for i, tool in enumerate(tools): + if not isinstance(tool, dict): + result.add_warning(f"Tool {i+1} should be an object with 'name' field") + continue + + if 'name' not in tool: + result.add_error(f"Tool {i+1} missing required 'name' field") + continue + + name = tool['name'] + if not isinstance(name, str) or not name.strip(): + result.add_error(f"Tool {i+1} name must be a non-empty string") + continue + + # Check for URL (recommended) + if 'url' not in tool: + result.add_recommendation(f"Tool '{name}' missing URL (recommended)") + else: + url = tool['url'] + if not isinstance(url, str) or not URL_PATTERN.match(url): + result.add_warning(f"Tool '{name}' has invalid URL format") + + def validate_metadata_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate metadata section""" + metadata = artifact.get('metadata', {}) + + if not metadata: + result.add_warning("Missing 'metadata' section (recommended)") + return + + # Criticality validation + criticality = metadata.get('criticality') + if not criticality: + result.add_recommendation("Missing metadata.criticality (recommended)") + elif criticality not in VALID_CRITICALITY_LEVELS: + result.add_error(f"Invalid criticality '{criticality}'. Must be one of: {', '.join(VALID_CRITICALITY_LEVELS)}") + + # Investigation types validation + inv_types = metadata.get('investigation_types', []) + if not inv_types: + result.add_recommendation("Missing metadata.investigation_types (recommended)") + elif isinstance(inv_types, list): + invalid_types = [t for t in inv_types if t not in VALID_INVESTIGATION_TYPES] + if invalid_types: + result.add_error(f"Invalid investigation types: {', '.join(invalid_types)}") + result.add_error(f"Valid types: {', '.join(VALID_INVESTIGATION_TYPES)}") + else: + result.add_error("investigation_types must be a list") + + # Windows versions + win_versions = metadata.get('windows_versions') + if not win_versions: + result.add_recommendation("Missing metadata.windows_versions (recommended)") + elif not isinstance(win_versions, list): + result.add_warning("windows_versions should be a list") + + # References validation + references = metadata.get('references', []) + if isinstance(references, list): + self.validate_references(references, result) + + # Date fields validation + date_fields = ['introduced', 'deprecated'] + for field in date_fields: + date_value = metadata.get(field) + if date_value and not DATE_PATTERN.match(str(date_value)): + result.add_warning(f"metadata.{field} should be in YYYY-MM-DD format") + + def validate_references(self, references: List[Any], result: ValidationResult): + """Validate references list""" + for i, ref in enumerate(references): + if not isinstance(ref, dict): + result.add_warning(f"Reference {i+1} should be an object") + continue + + if 'title' not in ref: + result.add_error(f"Reference {i+1} missing required 'title' field") + continue + + # Check URL format + if 'url' in ref: + url = ref['url'] + if not isinstance(url, str) or not URL_PATTERN.match(url): + result.add_warning(f"Reference {i+1} has invalid URL format") + + # Check reference type + ref_type = ref.get('type') + if ref_type and ref_type not in VALID_REFERENCE_TYPES: + result.add_warning(f"Reference {i+1} invalid type '{ref_type}'. Valid types: {', '.join(VALID_REFERENCE_TYPES)}") + + def validate_author_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate author section""" + author = artifact.get('author') + + if not author: + result.add_recommendation("Missing 'author' section (recommended for attribution)") + return + + if not isinstance(author, dict): + result.add_warning("Author should be an object with name, contact info") + return + + if 'name' not in author: + result.add_warning("Author missing 'name' field") + elif not isinstance(author['name'], str) or not author['name'].strip(): + result.add_warning("Author name should be a non-empty string") + + # Email validation + email = author.get('email') + if email and not EMAIL_PATTERN.match(email): + result.add_warning("Author email format appears invalid") + + def validate_contribution_section(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate contribution section""" + contribution = artifact.get('contribution') + + if not contribution: + result.add_recommendation("Missing 'contribution' section (recommended for tracking)") + return + + if not isinstance(contribution, dict): + result.add_warning("Contribution should be an object") + return + + # Date validation + date_fields = ['date_added', 'last_updated'] + for field in date_fields: + date_value = contribution.get(field) + if date_value and not DATE_PATTERN.match(str(date_value)): + result.add_warning(f"contribution.{field} should be in YYYY-MM-DD format") + + def validate_anti_checklist_methodology(self, artifact: Dict[str, Any], result: ValidationResult): + """Validate anti-checklist methodology sections (CRITICAL)""" + # Limitations section + limitations = artifact.get('limitations') + if not limitations: + result.add_error("CRITICAL: Missing 'limitations' section (anti-checklist methodology)") + result.add_error("Must specify what this artifact CANNOT determine or prove") + elif isinstance(limitations, list): + if len(limitations) == 0: + result.add_warning("Limitations list is empty") + else: + result.add_recommendation(f"Good: {len(limitations)} limitation(s) specified") + else: + result.add_warning("Limitations should be a list of strings") + + # Correlation section + correlation = artifact.get('correlation') + if not correlation: + result.add_error("CRITICAL: Missing 'correlation' section (anti-checklist methodology)") + result.add_error("Must specify required evidence for definitive conclusions") + elif isinstance(correlation, dict): + required = correlation.get('required_for_definitive_conclusions') + strengthens = correlation.get('strengthens_evidence') + + if not required and not strengthens: + result.add_warning("Correlation section empty - should specify required evidence") + else: + result.add_recommendation("Good: Correlation requirements specified") + else: + result.add_warning("Correlation should be an object with required/strengthens fields") + + def validate_file(self, file_path: Path) -> ValidationResult: + """Validate a single artifact file""" + result = ValidationResult(str(file_path)) + + try: + # Load YAML + with open(file_path, 'r', encoding='utf-8') as f: + artifact = yaml.safe_load(f) + + if not artifact: + result.add_error("File is empty or contains invalid YAML") + return result + + if not isinstance(artifact, dict): + result.add_error("Root element must be a YAML object/dictionary") + return result + + # Run all validations + self.validate_required_fields(artifact, result) + self.validate_category(artifact, result) + self.validate_paths(artifact, result) + self.validate_details_section(artifact, result) + self.validate_metadata_section(artifact, result) + self.validate_author_section(artifact, result) + self.validate_contribution_section(artifact, result) + self.validate_anti_checklist_methodology(artifact, result) + + except yaml.YAMLError as e: + result.add_error(f"YAML parsing error: {e}") + except Exception as e: + result.add_error(f"Unexpected error: {e}") + + return result + + def validate_directory(self, artifacts_dir: Path = None) -> List[ValidationResult]: + """Validate all artifacts in directory""" + if artifacts_dir is None: + artifacts_dir = Path("artifacts") + + if not artifacts_dir.exists(): + result = ValidationResult(str(artifacts_dir)) + result.add_error("Artifacts directory not found") + return [result] + + results = [] + + for category_dir in artifacts_dir.iterdir(): + if not category_dir.is_dir() or category_dir.name.startswith('_'): + continue + + for artifact_file in category_dir.glob("*.yml"): + if artifact_file.name.startswith('_'): + continue + + result = self.validate_file(artifact_file) + results.append(result) + + return results -def validate_artifact(file_path): - """Validate a single artifact file""" - try: - with open(file_path, 'r', encoding='utf-8') as f: - artifact = yaml.safe_load(f) - - # Basic structure validation - validate(instance=artifact, schema=ARTIFACT_SCHEMA) - - # Additional custom validations - validation_warnings = [] - - # Check if paths look like valid registry paths - for path in artifact.get('paths', []): - if not any(path.startswith(hive) for hive in ['HKLM\\', 'HKCU\\', 'HKCR\\', 'HKU\\', 'HKCC\\']): - validation_warnings.append(f"Path may not be valid registry path: {path}") - - # Check if tools have URLs (recommended) - tools = artifact.get('details', {}).get('tools', []) - tools_without_urls = 0 - for tool in tools: - if isinstance(tool, dict) and 'name' in tool and 'url' not in tool: - tools_without_urls += 1 - - if tools_without_urls > 0: - validation_warnings.append(f"{tools_without_urls} tool(s) missing URL (recommended)") - - # Check for criticality level (recommended) - if 'metadata' in artifact and 'criticality' not in artifact['metadata']: - validation_warnings.append("Criticality level not specified (recommended)") - - # Check for investigation types - if 'metadata' in artifact and 'investigation_types' not in artifact['metadata']: - validation_warnings.append("Investigation types not specified (recommended)") - - # Print results - if validation_warnings: - print(f"✓ {file_path} is valid but has recommendations:") - for warning in validation_warnings: - print(f" - {warning}") +def print_validation_summary(results: List[ValidationResult]): + """Print comprehensive validation summary""" + total_files = len(results) + valid_files = sum(1 for r in results if r.is_valid) + invalid_files = total_files - valid_files + total_errors = sum(len(r.errors) for r in results) + total_warnings = sum(len(r.warnings) for r in results) + total_recommendations = sum(len(r.recommendations) for r in results) + + print("\n" + "=" * 70) + print(" VALIDATION SUMMARY") + print("=" * 70) + + # Overall stats + print(f" STATISTICS:") + print(f" Files validated: {total_files}") + print(f" Valid: {valid_files}") + print(f" Invalid: {invalid_files}") + print(f" Total errors: {total_errors}") + print(f" Total warnings: {total_warnings}") + print(f" Total recommendations: {total_recommendations}") + + if total_files > 0: + success_rate = round((valid_files / total_files) * 100, 1) + print(f" Success rate: {success_rate}%") + + # Categories + categories = {} + for result in results: + if result.is_valid: + # Extract category from path + path_parts = Path(result.file_path).parts + if len(path_parts) >= 2: + category = path_parts[-2] # Parent directory name + categories[category] = categories.get(category, 0) + 1 + + if categories: + print(f"\n VALID ARTIFACTS BY CATEGORY:") + for category, count in sorted(categories.items()): + priority_marker = "⭐" if category in PRIORITY_CATEGORIES else " " + print(f" {priority_marker} {category}: {count}") + + # Critical issues (anti-checklist methodology) + critical_issues = [] + for result in results: + for error in result.errors: + if "CRITICAL" in error: + critical_issues.append(f"{Path(result.file_path).name}: {error}") + + if critical_issues: + print(f"\n CRITICAL ISSUES (Anti-Checklist Methodology):") + for issue in critical_issues[:10]: # Show first 10 + print(f" • {issue}") + if len(critical_issues) > 10: + print(f" ... and {len(critical_issues) - 10} more critical issues") + + # Most common warnings + warning_counts = {} + for result in results: + for warning in result.warnings: + # Extract warning type + warning_type = warning.split('(')[0].strip() + warning_counts[warning_type] = warning_counts.get(warning_type, 0) + 1 + + if warning_counts: + print(f"\n COMMON WARNINGS:") + sorted_warnings = sorted(warning_counts.items(), key=lambda x: x[1], reverse=True) + for warning_type, count in sorted_warnings[:5]: + print(f" • {warning_type}: {count} files") + +def print_file_results(results: List[ValidationResult], show_all: bool = False): + """Print individual file validation results""" + if not results: + return + + print("\n" + "=" * 70) + print(" FILE VALIDATION RESULTS") + print("=" * 70) + + # Group by status + valid_results = [r for r in results if r.is_valid] + invalid_results = [r for r in results if not r.is_valid] + + # Show invalid files first + if invalid_results: + print(f"\n INVALID FILES ({len(invalid_results)}):") + for result in invalid_results: + file_name = Path(result.file_path).name + print(f"\n {file_name}") + + for error in result.errors: + print(f" {error}") + + if result.warnings: + for warning in result.warnings[:3]: # Limit warnings for invalid files + print(f" {warning}") + if len(result.warnings) > 3: + print(f" ... and {len(result.warnings) - 3} more warnings") + + # Show valid files (summary or detailed) + if valid_results: + if show_all: + print(f"\n VALID FILES ({len(valid_results)}):") + for result in valid_results: + file_name = Path(result.file_path).name + issue_count = len(result.warnings) + len(result.recommendations) + + if issue_count == 0: + print(f" {file_name} - Perfect!") + else: + print(f" {file_name} - {len(result.warnings)} warnings, {len(result.recommendations)} recommendations") + + for warning in result.warnings: + print(f" {warning}") + + for rec in result.recommendations: + print(f" {rec}") else: - print(f"✓ {file_path} is valid and complete") - - return True - - except ValidationError as e: - print(f"✗ {file_path} validation failed:") - print(f" {e.message}") - if hasattr(e, 'absolute_path') and e.absolute_path: - print(f" Path: {' -> '.join(str(x) for x in e.absolute_path)}") - return False - except Exception as e: - print(f"✗ {file_path} error: {e}") - return False + print(f"\n VALID FILES: {len(valid_results)} files passed validation") + perfect_files = [r for r in valid_results if len(r.warnings) == 0 and len(r.recommendations) == 0] + if perfect_files: + print(f" {len(perfect_files)} files are perfect (no warnings or recommendations)") def main(): - print(" RegSeek Artifact Validator") - print("=" * 40) + """Main validation function""" + print(" RegSeek Validation System v2.0") + print("=" * 70) + + # Parse command line arguments + show_detailed = '--detailed' in sys.argv or '-d' in sys.argv + file_path = None + + # Check for specific file argument + for arg in sys.argv[1:]: + if not arg.startswith('-') and arg.endswith('.yml'): + file_path = Path(arg) + break - if len(sys.argv) > 1: - # Validate specific file - file_path = Path(sys.argv[1]) + # Initialize validator + validator = ArtifactValidator() + + if file_path: + # Validate single file if not file_path.exists(): print(f" File not found: {file_path}") - sys.exit(1) + return 1 - print(f"Validating: {file_path}") - if not validate_artifact(file_path): - sys.exit(1) + print(f" Validating: {file_path}") + result = validator.validate_file(file_path) + results = [result] + show_detailed = True # Always show details for single file else: - # Validate all artifacts - artifacts_dir = Path("artifacts") - if not artifacts_dir.exists(): - print(f" Artifacts directory not found: {artifacts_dir}") - sys.exit(1) - - failed = [] - validated = [] - - for artifact_file in artifacts_dir.rglob("*.yml"): - if artifact_file.name.startswith('_'): - print(f" Skipping template: {artifact_file}") - continue - - validated.append(artifact_file) - if not validate_artifact(artifact_file): - failed.append(artifact_file) - - # Summary - print("\n" + "=" * 40) - print(" Validation Summary:") - print("=" * 40) - print(f"Files validated: {len(validated)}") - print(f" Passed: {len(validated) - len(failed)}") - print(f" Failed: {len(failed)}") - - if failed: - print(f"\n {len(failed)} artifacts failed validation:") - for f in failed: - print(f" - {f}") - sys.exit(1) + # Validate all files + print(" Validating all artifacts...") + results = validator.validate_directory() + + # Print results + print_file_results(results, show_detailed) + print_validation_summary(results) + + # Final status + invalid_count = sum(1 for r in results if not r.is_valid) + critical_count = sum(1 for r in results for e in r.errors if "CRITICAL" in e) + + print("\n" + "=" * 70) + if invalid_count == 0: + if critical_count == 0: + print("🎉 All artifacts are valid and follow anti-checklist methodology!") + print(" Ready for build and deployment") + return 0 else: - print(f"\n🎉 All {len(validated)} artifacts are valid!") + print(f" {critical_count} critical methodology issues found") + print("🔧 Please address anti-checklist methodology requirements") + return 1 + else: + print(f" {invalid_count} artifacts failed validation") + if critical_count > 0: + print(f" Including {critical_count} critical methodology issues") + print(" Please fix errors before building") + return 1 if __name__ == "__main__": - main() + exit(main()) diff --git a/site/css/styles.css b/site/css/styles.css index 63837b6..d80e5ca 100644 --- a/site/css/styles.css +++ b/site/css/styles.css @@ -69,6 +69,54 @@ header { margin: 0 auto; } +/* Header Logo Link Styling */ +.logo-link { + text-decoration: none; + display: inline-block; + transition: transform 0.2s ease; +} + +.logo-link:hover { + transform: translateY(-2px); +} + +.logo-link .logo { + margin-bottom: 8px; + transition: all 0.2s ease; +} + +.logo-link:hover .logo { + background: linear-gradient(135deg, var(--accent-hover), #60a5fa); + -webkit-background-clip: text; + -webkit-text-fill-color: transparent; + background-clip: text; +} + +/* Project Info Styling */ +.project-info { + color: var(--text-muted); + font-size: 0.9rem; + font-weight: 400; + max-width: 900px; + margin: 16px auto 0 auto; + line-height: 1.5; + white-space: nowrap; + overflow: hidden; +} +.contribute-link { + color: var(--accent); + text-decoration: none; + font-weight: 500; + transition: all 0.2s ease; + border-bottom: 1px solid transparent; +} + +.contribute-link:hover { + color: var(--accent-hover); + border-bottom-color: var(--accent-hover); + text-decoration: none; +} + /* Search Container */ .search-container { margin: 48px 0 32px 0; @@ -123,7 +171,7 @@ header { /* Advanced Search Panel */ .advanced-search-panel { - max-width: 800px; + max-width: 1000px; /* Increased from 800px */ margin: 0 auto 32px auto; background: var(--bg-card); border: 1px solid var(--border); @@ -153,15 +201,16 @@ header { .filter-grid { display: grid; - grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); - gap: 20px; + grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); /* Increased from 250px */ + gap: 24px; margin-bottom: 24px; } +/* More comfortable filter group spacing */ .filter-group { display: flex; flex-direction: column; - gap: 8px; + gap: 10px; } .filter-group label { @@ -172,14 +221,16 @@ header { letter-spacing: 0.05em; } +/* More spacious select boxes */ .filter-group select { - padding: 12px 16px; + padding: 14px 18px; /* Increased from 12px 16px */ background: var(--bg-secondary); border: 1px solid var(--border); border-radius: 8px; color: var(--text-primary); font-size: 0.9375rem; transition: all 0.2s; + min-height: 48px; /* Ensure consistent height */ } .filter-group select:focus { @@ -465,7 +516,7 @@ header { font-weight: bold; } -/* Modal */ +/* Enhanced Modal */ .modal { display: none; position: fixed; @@ -476,40 +527,145 @@ header { background: rgba(0, 0, 0, 0.8); backdrop-filter: blur(4px); z-index: 1000; - overflow-y: auto; + overflow: hidden; } -.modal-content { - max-width: 900px; - margin: 48px auto; +.enhanced-modal { + width: 95%; + max-width: 1200px; + height: 90vh; + margin: 5vh auto; background: var(--bg-card); border: 1px solid var(--border); border-radius: 16px; + overflow: hidden; + display: flex; + box-shadow: 0 20px 40px rgba(0, 0, 0, 0.5); position: relative; - max-height: 90vh; +} + +/* Close button */ +.close-modal { + position: absolute; + top: 24px; + right: 24px; + font-size: 1.5rem; + cursor: pointer; + color: var(--text-muted); + background: var(--bg-secondary); + width: 40px; + height: 40px; + border-radius: 8px; + display: flex; + align-items: center; + justify-content: center; + transition: all 0.2s; + z-index: 10; +} + +.close-modal:hover { + color: var(--text-primary); + background: var(--bg-hover); +} + +/* Sidebar Navigation */ +.modal-sidebar { + width: 280px; + background: var(--bg-secondary); + border-right: 1px solid var(--border); + padding: 24px 0; overflow-y: auto; + flex-shrink: 0; +} + +.sidebar-section { + margin-bottom: 24px; +} + +.sidebar-title { + font-size: 0.875rem; + font-weight: 600; + color: var(--text-muted); + text-transform: uppercase; + letter-spacing: 0.05em; + padding: 0 24px; + margin-bottom: 12px; +} + +.nav-item { + display: flex; + align-items: center; + padding: 10px 24px; + color: var(--text-secondary); + cursor: pointer; + transition: all 0.2s; + border-left: 3px solid transparent; + font-size: 0.9375rem; +} + +.nav-item:hover { + background: var(--bg-hover); + color: var(--text-primary); +} + +.nav-item.active { + background: rgba(59, 130, 246, 0.1); + color: var(--accent); + border-left-color: var(--accent); +} + +.nav-icon { + width: 16px; + height: 16px; + margin-right: 12px; + opacity: 0.7; +} + +.nav-badge { + margin-left: auto; + font-size: 0.75rem; + background: var(--error); + color: white; + padding: 2px 6px; + border-radius: 10px; + font-weight: 500; +} + +.nav-badge.warning { + background: var(--warning); +} + +/* Main Content Area */ +.modal-main { + flex: 1; + display: flex; + flex-direction: column; + overflow: hidden; } -.modal-header { - padding: 32px 32px 24px; +/* Header */ +.modal-header-enhanced { + padding: 32px 40px 32px 32px; border-bottom: 1px solid var(--border); + background: linear-gradient(135deg, var(--bg-secondary), #1a1a2e); } -.modal-title { +.artifact-title { font-size: 1.875rem; font-weight: 700; margin-bottom: 12px; line-height: 1.2; } -.modal-badges { +.artifact-badges { display: flex; gap: 8px; flex-wrap: wrap; + margin-bottom: 16px; } -.modal-category, .modal-criticality { - font-size: 0.875rem; +.badge { + font-size: 0.75rem; font-weight: 500; text-transform: uppercase; letter-spacing: 0.05em; @@ -517,153 +673,266 @@ header { border-radius: 6px; } -.modal-category { +.badge-category { color: var(--accent); background: rgba(59, 130, 246, 0.1); + border: 1px solid rgba(59, 130, 246, 0.3); } -.modal-body { - padding: 32px; +.badge-criticality { + color: var(--error); + background: rgba(239, 68, 68, 0.1); + border: 1px solid rgba(239, 68, 68, 0.3); } -.close-modal { - position: absolute; - top: 24px; - right: 24px; - font-size: 1.5rem; - cursor: pointer; - color: var(--text-muted); - background: var(--bg-secondary); - width: 40px; - height: 40px; +.artifact-paths { + font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace; + font-size: 0.875rem; + color: var(--text-secondary); + background: var(--bg-primary); + padding: 16px; border-radius: 8px; + border: 1px solid var(--border); +} + +/* Content Area */ +.modal-content-area { + flex: 1; + overflow-y: auto; + padding: 32px; +} + +/* Content Sections */ +.content-section { + display: none; + animation: fadeIn 0.3s ease; +} + +.content-section.active { + display: block; +} + +@keyframes fadeIn { + from { opacity: 0; transform: translateY(10px); } + to { opacity: 1; transform: translateY(0); } +} + +.section-header { display: flex; align-items: center; - justify-content: center; - transition: all 0.2s; + margin-bottom: 24px; } -.close-modal:hover { +.section-icon { + width: 24px; + height: 24px; + margin-right: 12px; + font-size: 1.5rem; +} + +.section-title { + font-size: 1.5rem; + font-weight: 600; color: var(--text-primary); - background: var(--bg-hover); } -.detail-section { +/* Critical Warning Section */ +.limitations-section { + background: rgba(239, 68, 68, 0.1); + border: 1px solid rgba(239, 68, 68, 0.3); + border-radius: 12px; + padding: 24px; margin-bottom: 32px; } -.detail-section:last-child { +.limitations-header { + display: flex; + align-items: center; + margin-bottom: 16px; +} + +.warning-icon { + width: 20px; + height: 20px; + margin-right: 8px; + font-size: 1.25rem; +} + +.limitations-title { + font-size: 1.125rem; + font-weight: 600; + color: var(--error); +} + +.limitations-list { + list-style: none; + margin: 0; + padding: 0; +} + +.limitations-list li { + padding: 8px 0; + padding-left: 24px; + position: relative; + color: var(--text-secondary); + line-height: 1.6; +} + +.limitations-list li::before { + content: "⚠"; + position: absolute; + left: 0; + color: var(--error); + font-weight: bold; +} + +/* Correlation Section */ +.correlation-section { + background: rgba(245, 158, 11, 0.1); + border: 1px solid rgba(245, 158, 11, 0.3); + border-radius: 12px; + padding: 24px; + margin-bottom: 32px; +} + +.correlation-header { + display: flex; + align-items: center; + margin-bottom: 16px; +} + +.correlation-title { + font-size: 1.125rem; + font-weight: 600; + color: var(--warning); +} + +.correlation-subsection { + margin-bottom: 20px; +} + +.correlation-subsection:last-child { margin-bottom: 0; } -.detail-section h3 { +.correlation-subtitle { + font-size: 1rem; + font-weight: 600; + color: var(--text-primary); + margin-bottom: 8px; +} + +.correlation-list { + list-style: none; + margin: 0; + padding: 0; +} + +.correlation-list li { + padding: 6px 0; + padding-left: 20px; + position: relative; + color: var(--text-secondary); +} + +.correlation-list li::before { + content: "→"; + position: absolute; + left: 0; + color: var(--warning); + font-weight: bold; +} + +/* Enhanced Info Cards */ +.info-card { + background: var(--bg-secondary); + border: 1px solid var(--border); + border-radius: 12px; + padding: 24px; + margin-bottom: 24px; +} + +.info-card h3 { font-size: 1.125rem; font-weight: 600; - margin-bottom: 12px; + margin-bottom: 16px; color: var(--text-primary); } -.detail-section p, .detail-section li { +.info-card p { color: var(--text-secondary); line-height: 1.7; + margin-bottom: 12px; } -.code-block { +.info-card p:last-child { + margin-bottom: 0; +} + +/* Tool Grid */ +.tools-grid { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); + gap: 16px; + margin-top: 16px; +} + +.tool-card { background: var(--bg-primary); border: 1px solid var(--border); - padding: 16px; border-radius: 8px; - font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', monospace; + padding: 16px; + transition: all 0.2s; +} + +.tool-card:hover { + border-color: var(--accent); + background: var(--bg-hover); +} + +.tool-name { + font-weight: 600; + color: var(--accent); + margin-bottom: 4px; +} + +.tool-description { font-size: 0.875rem; - margin: 12px 0; color: var(--text-secondary); } -.example-list { - list-style: none; - margin: 12px 0; +/* Examples */ +.examples-grid { + display: grid; + gap: 12px; + margin-top: 16px; } -.example-list li { - padding: 12px 16px; +.example-item { background: var(--bg-primary); border: 1px solid var(--border); border-radius: 8px; - margin-bottom: 8px; - font-family: 'SF Mono', Monaco, 'Cascadia Code', 'Roboto Mono', monospace; + padding: 16px; + font-family: 'SF Mono', Monaco, 'Cascadia Code', monospace; font-size: 0.875rem; color: var(--text-secondary); } -.example-list li:last-child { - margin-bottom: 0; -} - -.tool-links { +/* Tags */ +.tag-grid { display: flex; flex-wrap: wrap; gap: 8px; - margin-top: 8px; + margin-top: 16px; } -.tool-link { - display: inline-block; +.tag { + font-size: 0.75rem; + color: var(--text-muted); + background: rgba(255, 255, 255, 0.05); padding: 6px 12px; - background: var(--bg-secondary); - border: 1px solid var(--border); border-radius: 6px; - color: var(--accent); - text-decoration: none; - font-size: 0.875rem; - transition: all 0.2s; -} - -.tool-link:hover { - background: var(--bg-hover); - border-color: var(--accent); - transform: translateY(-1px); -} - -/* Responsive */ -@media (max-width: 768px) { - .container { - padding: 0 16px; - } - - .registry-grid { - grid-template-columns: 1fr; - } - - .search-wrapper { - flex-direction: column; - } - - .filter-grid { - grid-template-columns: 1fr; - } - - .quick-filter-buttons { - justify-content: center; - } - - .stats-bar { - grid-template-columns: repeat(2, 1fr); - } - - .sort-options { - justify-content: center; - } - - .modal-content { - margin: 0; - border-radius: 0; - height: 100vh; - max-height: 100vh; - } - - .advanced-search-actions { - flex-direction: column; - } + border: 1px solid var(--border-light); } /* Loading and Empty States */ @@ -701,3 +970,196 @@ header { .text-high { color: var(--high-priority); } .text-medium { color: var(--medium-priority); } .text-low { color: var(--low-priority); } + + +/* Tool Links Styling */ +.tool-name a { + color: var(--accent); + text-decoration: none; + transition: all 0.2s; +} + +.tool-name a:hover { + color: var(--accent-hover); + text-decoration: underline; +} + +/* Reference Links Styling */ +.info-card ul li a { + color: var(--accent); + text-decoration: none; + transition: all 0.2s; +} + +.info-card ul li a:hover { + color: var(--accent-hover); + text-decoration: underline; +} + +/* Enhanced Quick Filter Buttons for 13 Categories */ +.quick-filter-buttons { + display: flex; + flex-wrap: wrap; + gap: 8px; + justify-content: flex-start; + align-items: center; +} + +.filter-btn { + padding: 10px 20px; + background: transparent; + border: 1px solid var(--border); + border-radius: 8px; + color: var(--text-secondary); + cursor: pointer; + font-size: 0.875rem; + font-weight: 500; + transition: all 0.2s; + white-space: nowrap; + flex: 0 0 auto; + text-align: center; + /* Fixed size - no dynamic shrinking */ + min-width: 120px; +} +.filter-btn:hover { + border-color: var(--accent); + color: var(--accent); + background: rgba(59, 130, 246, 0.1); +} + +.filter-btn.active { + background: var(--accent); + color: white; + border-color: var(--accent); +} + +/* Responsive: Only change layout, not button size */ +@media (max-width: 768px) { + .quick-filter-buttons { + justify-content: center; + } +} + +@media (max-width: 480px) { + .quick-filter-buttons { + display: grid; + grid-template-columns: repeat(2, 1fr); + gap: 8px; + } + + .filter-btn { + min-width: 0; /* Allow grid to control width */ + } +} + +/* Enhanced dropdown styling for 14 investigation types */ +#filter-investigation { + max-height: 250px; + overflow-y: auto; +} + +/* Professional icon styling */ +.nav-icon { + width: 16px; + height: 16px; + margin-right: 12px; + opacity: 0.7; + stroke: currentColor; + stroke-width: 2; + transition: all 0.2s; + flex-shrink: 0; /* Prevent icon shrinking */ +} + +.section-icon { + width: 20px; + height: 20px; + margin-right: 12px; + stroke: var(--accent); + stroke-width: 2; + flex-shrink: 0; /* Prevent icon shrinking */ +} + +/* Enhanced hover effects for nav items */ +.nav-item:hover .nav-icon { + opacity: 1; + stroke: var(--text-primary); +} + +.nav-item.active .nav-icon { + opacity: 1; + stroke: var(--accent); +} + +/* Warning icons in limitations sections */ +.warning-icon { + width: 20px; + height: 20px; + margin-right: 8px; + stroke: var(--error); + stroke-width: 2; + flex-shrink: 0; +} + +/* Update limitations list styling for better icon alignment */ +.limitations-list li::before { + content: ""; + position: absolute; + left: 0; + top: 14px; + width: 12px; + height: 12px; + background: var(--error); + mask: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='currentColor' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Ccircle cx='12' cy='12' r='10'/%3E%3Cline x1='15' y1='9' x2='9' y2='15'/%3E%3Cline x1='9' y1='9' x2='15' y2='15'/%3E%3C/svg%3E") no-repeat center; + mask-size: contain; +} + +/* Better responsive breakpoints for wider panel */ +@media (max-width: 1200px) { + .advanced-search-panel { + max-width: 95%; /* Use more screen space on smaller screens */ + } + + .filter-grid { + grid-template-columns: repeat(auto-fit, minmax(280px, 1fr)); + gap: 20px; + } +} + +@media (max-width: 900px) { + .filter-grid { + grid-template-columns: repeat(auto-fit, minmax(250px, 1fr)); + gap: 18px; + } +} + +@media (max-width: 768px) { + .advanced-search-panel { + max-width: 98%; + } + + .filter-grid { + grid-template-columns: 1fr 1fr; /* Two columns on tablet */ + gap: 16px; + } + + .filter-group select { + padding: 12px 16px; + font-size: 0.875rem; + } +} + +@media (max-width: 480px) { + .filter-grid { + grid-template-columns: 1fr; /* Single column on mobile */ + } +} + +/* Mobile responsiveness - allow wrapping on very small screens */ +@media (max-width: 640px) { + .project-info { + white-space: normal; /* Allow wrapping on small screens */ + font-size: 0.85rem; + padding: 0 16px; + margin-top: 12px; + } +} diff --git a/site/index.html b/site/index.html index b8f81bb..b0dc064 100644 --- a/site/index.html +++ b/site/index.html @@ -3,6 +3,47 @@ + + + RegSeek - Windows Registry Forensics Reference | 136+ Registry Artifacts Database + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - RegSeek - Windows Registry Forensics Reference - -