Forensics

Question 1

Program Execution Artifacts (7)

Answer 1

UserAssist, Shimcache, Windows 10 Timeline, RecentApps, Jump Lists, System Resource Usage Monitor, Prefetch

Question 2

Deleted File/File Knowledge Artifacts (4)

Answer 2

Thumbscache, IE/Edge file, Word Wheel Query, Recycle Bin

Question 3

Network Activity Artifacts (4)

Answer 3

Cookies, Network History, Browser Search Terms, System Resource Usage Monitor

Question 4

File/Folder Opening Artifacts (6)

Answer 4

Recent Files, Shell Bags, LNK Files, IE/Edge file, Jump Lists, Prefetch

Question 5

Account Usage Artifacts (2)

Answer 5

Event Logs, RDP Usage

Question 6

External Device/USB Artifacts (2)

Answer 6

Volume Serial Number, Shortcut (LNK) Files

Question 7

Browser Usage Artifacts (5)

Answer 7

History, Cookies, Flash and Super Cookies, Session Restore, Google Analytics Cookies

Question 8

File Download Artifacts (4)

Answer 8

Email Attachments, Browser Artifacts, Downloads, ADS Zone.Identifier

Question 9

UserAssist

Answer 9

Tracks GUI based programs launched from Desktop

Question 10

Windows 10 Timeline

Answer 10

Tracks recently used applications and files. Accessible via Win+tab.

Question 11

Recent Apps

Answer 11

Tracks GUI Program execution launched on Win10.

Question 12

Shimcache

Answer 12

Tracks Windows application compatability

Question 13

System Resource Usage Manager

Answer 13

Records histroical system performance. Applications run + user account, bytes sent per application per hour

Question 14

Prefetch

Answer 14

Increases performance of a system by pre-loading code of commonly used applications.

C:\Windows\Prefetch

Question 15

Thumbscache

Answer 15

Database of thumbnails of pictures, documents, folders, etc

Question 16

IE/Edge History

Answer 16

IE/Edge also tracks file access

Question 17

Word Wheel Query

Answer 17

Key words searched for on the start bar of WIn 7.

Question 18

ADS Zone Identifier

Answer 18

ADS added to files that are downloaded from the internet.

Question 19

Shell Bags

Answer 19

Tracks folder access

In USRCLASS.DAT

Question 20

Shortcut (LNK) files

Answer 20

Automatically generated when opening files.

Question 21

Flash/Super Cookies

Answer 21

Cookies that are more persistant. Almost never cleared and have no expiration date.

Question 22

Mac Cooties

Answer 22

Files containing Apple Extended Metadata (AEM is put into ADS on system architectures that support ADS such as NTFS)

Question 23

Windows Registry Hives and locations

Answer 23

HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS

Question 24

HKEY_LOCAL_MACHINE Contents and location

Answer 24

Windows\system32\config\
HKEY_LOCAL_MACHINE\SYSTEM:
HKEY_LOCAL_MACHINE\SAM:
HKEY_LOCAL_MACHINE\SECURITY:
HKEY_LOCAL_MACHINE\SOFTWARE: