Windows Forensics

Windows Forensics

windows Memory Forensics
Windows Registry Forensics
Windows Registry Forensics with RegRipper
Windows Powershell Forensics
Incident Response Eventhoods
Incident Response splunk filters
LNK Files (Shortcut Files) Forensics
Jump List Forensics
Prefetch Files Forensics
Living off the Land Binaries (LOLBins)
COM (Component Object Model)
Key Email Headers for SOC Analysts and DFIR
Distributed Component Object Model (DCOM)
legitimate Windows processes
UserAssist Keys
Application Compatibility Cache (Shim Cache)
CIDSizeMRU
Start Menu Run MRUs
MUI Cache
BAM (Background Activity Moderator)
SRUM (System Resource Usage Monitor)
Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
🔹 Windows System Processes

Powered by GitBook

On this page

Overview:
Benefits for DFIR:
How It Works:
Tools:

CIDSizeMRU

The CIDSizeMRU registry key tracks the size and position of the File Explorer screen.

Overview:

Purpose: Tracks file dialogs in Windows Explorer, showing which files were accessed or saved using file picker dialogs.
Registry Location:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Structure:
- Stores file paths and recent directory usage.

Benefits for DFIR:

File Access Evidence: Indicates user interaction with files and directories.
Behavioral Analysis: Useful in identifying files that were recently accessed or saved.

How It Works:

Logs information about files accessed or saved through common dialog boxes, including:
- File Path: Most recently accessed directories.
- Timestamps: Indicates recency of usage.

Tools:

Registry Explorer: For manual extraction and analysis.
Regripper: Automates parsing of CIDSizeMRU entries.

PreviousApplication Compatibility Cache (Shim Cache)NextStart Menu Run MRUs

Last updated 5 months ago