Merge pull request #83 from AndrewRathbun/master

AndrewRathbun · web-flow · commit 67c75accb9a0 · 2024-11-26T16:09:36.000-05:00
update DFIRBatch.reb to 2.07 - add various artifacts from DEFAULT hive
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -53,6 +53,7 @@ Example entry, please follow this format:
 | 2.04 | 2024-08-25 | Added Various Windows Defender, Microsoft Security Essentials and SmartScreen artifacts. Also added LogonBanner and SpecialAccounts |
 | 2.05 | 2024-09-01 | Added new artifacts related to the third party application MobaTek MobaXTerm |
 | 2.06 | 2024-09-06 | Added various JPCert artifacts around remote access tools, Added LogonStats and an example of DEFAULT registry hive use with WinSCP  |
+| 2.07 | 2024-11-26 | Added new artifacts from the DEFAULT registry hive  |
 
 # Documentation
 
diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,6 +1,6 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.06
+Version: 2.07
 Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
 Keys:
 #
@@ -1435,6 +1435,15 @@ Keys:
 
 # SCSI plugin - https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.SCSI
 
+# Devices -> Default Printers (DEFAULT)
+    -
+        Description: Default Printers
+        HiveType: DEFAULT
+        Category: User Activity
+        KeyPath: Printers\ConvertUserDevModesCount
+        Recursive: true
+        Comment: "Displays the printer options available to the user"
+
 # --------------------
 # NETWORK SHARES
 # --------------------
@@ -1547,6 +1556,16 @@ Keys:
 
 # https://superuser.com/questions/618555/what-values-are-defined-for-the-specialaccounts-userlist-key-and-what-i-is-their/926453#926453
 
+# User Accounts -> Stored Identites (DEFAULT)
+
+    -
+        Description: Stored Identities
+        HiveType: DEFAULT
+        Category: User Accounts
+        KeyPath: Software\Microsoft\IdentityCRL\StoredIdentities\*\*
+        Recursive: true
+        Comment: "Displays information about Microsoft accounts that have signed into a computer"
+
 # --------------------
 # PROGRAM EXECUTION
 # --------------------
@@ -3000,6 +3019,16 @@ Keys:
         Recursive: true
         Comment: "Displays the user's specified storage location for Dropbox"
 
+# Cloud Storage -> Cloud-related Folders (DEFAULT)
+
+    -
+        Description: Cloud-related Folders
+        HiveType: DEFAULT
+        Category: Cloud Storage
+        KeyPath: Software\Microsoft\Windows\CurrentVersion\StorageSense\SuggestedFolders\*\Suggestions\*
+        Recursive: true
+        Comment: "Displays evidence of cloud-related folders that exist or have existed previously"
+
 # --------------------
 # SERVICES
 # --------------------
