Folder: 1 -

: Use artifacts like Prefetch or ShimCache (AppCompatCache) to prove a file was not just present, but actually executed.

: Standard locations like Downloads and Documents are the first places to check for user-created data or downloaded tools. 🛠️ Key Forensic Tools for Analysis Folder: 1

: Search for specific suspicious filenames (e.g., Changelog.txt ) or tools (e.g., mimikatz ) within the registry or common user folders. : Use artifacts like Prefetch or ShimCache (AppCompatCache)

: These are found in the UsrClass.dat hive and track a user's browsing history within File Explorer. They store information about which folders were opened, their window size, and their view settings, even if the folder has since been deleted. : These are found in the UsrClass

: Used to load hives like NTUSER.DAT and SOFTWARE to view human-readable data from otherwise complex registry files.

To track a user's recent activity, forensics experts analyze specific registry keys that store "shortcuts" to recently opened items.

: A command-line tool often used in conjunction with batch files to quickly extract specific artifacts from registry hives.