Jumplist Parser
A Rust parser for Windows Jumplist artifact
AbdulRhman Alfaifi
Exploring Windows Artifacts : Jumplist Files
In Windows, Jumplist files store a history of recently accessed files or activities associated with specific applications. In this blog post, Iβll explore the structure of this artifact, what itβs used for, and how it can be valuable in digital forensic investigations.
Exploring Windows Artifacts: Notepad Files
On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.
Exploring Windows Artifacts : $Security Artifact
TLDR; $SDS is an artifact for NTFS file systems. This artifact contain security descriptors to all files and folders on the drive, which means it will contain information of the file owner and permissions of the file. I also wrote a Rust π¦ parser for this artifact that you can download from my Github.
Impacket Remote Execution Tools: smbexec.py
Analysing the digital forensics artifacts for the Impacket tool smbexec.py
Exploring Windows Artifacts : LNK Files
I decided to start a new blog post series that will focus on windows forensic artifacts. In these posts, I will try to go through all windows artifacts (at least until I get bored π), understand its structure, and write a rust parser for them.
Certutil Artifacts Analysis
certutil is a build-in tool on windows systems that is used to manage certificates. However certutil could be used to download files from the internet. In this blog we will take a look at the artifacts generated by certutil when downloading a file