I also don’t really know why Microsoft had it in there to begin with, and if Microsoft previously had use for the data, they probably still do but have moved it into a different location. And we should only really see it for sure in 16, and maybe 1709. The SANSs categorization of artifacts can help forensic examiners focus their effort.
#RECENTAPPS SANS FORENSICS WINDOWS 10#
So my working theory is that 1709 would populate the key if it existed, but that hasn’t been tested.Īt the very least, we no longer have the key. Program Execution, User Assist, Windows 10 Timeline, RecentApps. On my Windows SIFT Workstation, which was updated from 1709 to 1903 on 27 August 2019, I can see items accessed right until the update. *I’m putting a star next to 1709 because others have seen RecentApps on this version, so maybe it’s a configuration setting? From Vico’s talk, I’m reading that 1709 was either the last version to have it, or the first version to not have it. Maybe it was updating the key if it existed? Version It comes with a set of preconfigured tools to perform computer forensic digital investigations.
I haven’t tested what happens when you run updates, but I do know that it was not in my 1709 install, but I’ve seen it populated on at least one system when 1709 was active. Augby Aditya Balapure The SANS Investigate Forensic Toolkit (SIFT) is an interesting tool created by the SANS Forensic Team and is available publicly and freely for the whole community. Microsoft hosted them somewhere for a bit, maybe they still do?Īnyways, here’s a table that I put together of Win10 systems that have the RecentApps key available in a base install. Thankfully, past me had the smarts to create a bunch of Windows 10 VMs! Where did I find the ISOs you ask? I can’t remember. I don’t see it that often and thought I should go and take a look at when Microsoft added it, and took it away. I was roaming around some Win10 images and noticed I had the RecentApps registry key to go through.
0 kommentar(er)
