Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
275 lines (248 sloc) 12 KB
# Filter file for log2timeline for triaging Windows systems.
#
# I am unsure of the Genesis of this file but I originally came across it in the
# SANS FOR508 Class authored by Rob Lee and Chad Tilbury. I have started
# maintaining / updating this file as part of my ongoing research of Plaso.
# Additions to SANS 508 config file by Mark Hallman Version 1.04 - 2018-12-10
#
# This file can be used by image_export or log2timeline to selectively export
# few key files of a Windows system. This file will collect:
# * The MFT file, LogFile and the UsnJrnl
# * Contents of the Recycle Bin/Recycler.
# * Windows Registry files, e.g. SYSTEM and NTUSER.DAT.
# * Shortcut (LNK) files from recent files.
# * Jump list files, automatic and custom destination.
# * Windows Event Log files.
# * Prefetch files.
# * SetupAPI file.
# * Application Compatibility files, the Recentfilecache and AmCachefile.
# * Windows At job files.
# * Browser history: IE, Firefox and Chrome.
# * Browser cookie files: IE.
# * Flash cookies, or LSO/SOL files from the Flash player.
###############
# File system artifacts.
###############
/[$]MFT
/[$]LogFile
/[$]Extend/[$]UsnJrnl
###############
# Memory artifacts - Include for image_export, log2timeline currently does not
# process these artifacts.
###############
# /hiberfil.sys
# /pagefile.sys
# /swapfile.sys
# /Windows/memory.dmp
###############
# File System artifacts - Include for image_export, log2timeline currently does not
# process these artifacts.
###############
/[$]Secure
/[$]Boot
/[$]Extend/[$]RmMetadata/[$]TxfLog/[$]Tops
###############
# Windows System Registry hives
###############
/Windows/ServiceProfiles/LocalService/ntuser[.]dat
/Windows/ServiceProfiles/LocalService/ntuser[.]dat[.]LOG[1-9]
/Windows/ServiceProfiles/NetworkService/ntuser[.]dat
/Windows/ServiceProfiles/NetworkService/ntuser[.]dat[.]LOG[1-9]
/Windows/System32/config/RegBack/*[.]LOG[1-9]
/Windows/System32/config/RegBack/SAM
/Windows/System32/config/RegBack/SECURITY
/Windows/System32/config/RegBack/SOFTWARE
/Windows/System32/config/RegBack/SYSTEM
/Windows/System32/config/RegBack/SYSTEM1
/Windows/System32/config/SAM
/Windows/System32/config/SAM[.]LOG[1-9]
/Windows/System32/config/SECURITY
/Windows/System32/config/SECURITY[.]LOG[1-9]
/Windows/System32/config/SOFTWARE
/Windows/System32/config/SOFTWARE[.]LOG[1-9]
/Windows/System32/config/SYSTEM
/Windows/System32/config/SYSTEM[.]LOG[1-9]
/Windows/System32/config/systemprofile/ntuser[.]dat
/Windows/System32/config/systemprofile/ntuser[.]dat[.]LOG[1-9]
###############
# Recycle Bin and Recycler
###############
/[$]Recycle.Bin
/[$]Recycle.Bin/.+
/[$]Recycle.Bin/.+/.+
/[$]Recycle.Bin/.+/.+/.+
/[$]Recycle.Bin/.+/.+/.+/.+
/RECYCLER
/RECYCLER/.+
/RECYCLER/.+/.+
/RECYCLER/.+/.+/.+
/RECYCLER/.+/.+/.+/.+
###############
# Windows Event Logs
###############
/Windows/System32/winevt/Logs/.+[.]evtx
/Windows/System32/config/.+[.]evt
###############
# Windows Event Trace Logs (ETL)
###############
#/Windows/System32/WDI/[{].+/
/Windows/System32/WDI/LogFiles/.+[.]etl
/Windows/System32/LogFles/WMI/.+[.]etl
/Windows/System32/LogFles/WMI/RtBackup/.+[.]etl
/Windows/System32/SleepStudy/.+[.]etl
/ProgramData/Microsoft/Windows/PowerEfficiency Diagnostics/energy-ntkl.etl
###############
# USB Devices log files
###############
/Windows/inf/setupapi[.]dev[.]log
/Windows/setupapi[.]log
###############
# Various log files
###############
/Windows/System32/LogFiles/.+/.+[.]log
/Windows/System32/LogFiles/.+/.+[.]log[.]old
###############
# Anti-Virus Log and Quarantine files
###############
# Symantec
/ProgramData/Symantec/Symantec Endpoint Protection/CurrentVersion/Data/Logs/.+[.]log
/ProgramData/Symantec/Symantec Endpoint Protection/CurrentVersion/Data/Logs/AV/.+[.]log
/ProgramData/Symantec/Symantec Endpoint Protection/CurrentVersion/Data/Quarantine/.+[.]VBN
/ProgramData/Symantec/Symantec Endpoint Protection/CurrentVersion/Data/Quarantine/.+/.+[.]VBN
/ProgramData/Symantec/Symantec Endpoint Protection/PersistedData/sephwid.xml
/Users/.+/AppData/Local/Symantec/Symantec Endpoint Protection/Logs/.+[.]log
###############
# Prefetch files
###############
/Windows/Prefetch/.+
###############
# Windows Execution Artifacts
###############
/Windows/Tasks/.+[.]job
/Windows/System32/Tasks/.+
/Windows/System32/Tasks/.+/.+
/Windows/System32/Tasks/.+/.+/.+
/Windows/System32/Tasks/.+/.+/.+/.+
/Windows/Appcompat/Programs/RecentFileCache[.]bcf
/Windows/Appcompat/Programs/Amcache[.]hve
/Windows/appcompat/Programs/Amcache[.]hve[.]LOG[1-9]
/Windows/System32/wbem/Repository/.+
/Windows/SchedLgU.txt
###############
# SRUM
###############
/Windows/System32/SRU
###############
# Windows Search Index
###############
/programdata/microsoft/search/data/applications/windows/Windows.edb
###############
# Browser history artifacts
###############
###############
# Internet Explorer Browser history artifacts
###############
/Documents and Settings/.+/Application Data/Microsoft/Internet Explorer/UserData/index.dat
/Documents and Settings/.+/Application Data/Microsoft/Office/Recent/index.dat
/Documents and Settings/.+/Cookies/index.dat
/Documents and Settings/.+/Local Settings/History/History.IE5/.+/index.dat
/Documents and Settings/.+/Local Settings/History/History.IE5/index.dat
/Documents and Settings/.+/Local Settings/Temporary Internet Files/Content.IE5/index.dat
/Documents And Settings/.+/Local Settings/Temporary Internet Files/Content.IE5/index[.]dat
/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/.+/.+[.]dat
/Users/.+/AppData/Local/Microsoft/Internet Explorer/Recovery/Immersive/.+/.+[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/index[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/History/Low/History.IE5/MSHist.+/index[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/index[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/index[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/WebCache/.+[.]dat
/Users/.+/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat
/Users/.+/AppData/Local/Packages/Microsoft.MicrosoftEdge_8wekyb3d8bbwe/AC/MicrosoftEdge/User/Default/DataStore/Data/nouser1/120712-0049/DBStore/spartan.edb
/Users/.+/AppData/Roaming/Macromedia/FlashPlayer/#SharedObjects/.+[.]sol
/Users/.+/AppData/Roaming/Microsoft/Office/Recent/index.dat
/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/index[.]dat
/Users/.+/AppData/Roaming/Microsoft/Windows/Cookies/Low/index[.]dat
/Users/.+/MicrosoftEdgeBackups/backups/.+/DatastoreBackup/spartan.edb
/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Internet Explorer/Recovery/.+/.+[.]dat
/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Internet Explorer/Recovery/Immersive/.+/.+[.]dat
/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Windows/History/.+
/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Windows/Temporary Internet Files/.+
/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Windows/WebCache/.+[.]dat
/Windows/System32/config/systemprofile/AppData/Roaming/Microsoft/Windows/Cookies/index[.]dat
/Windows/System32/config/systemprofile/AppData/Roaming/Microsoft/Windows/Cookies/Low/index[.]dat
###############
# Chrome Browser history artifacts
###############
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Bookmarks.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Cookies.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Current Session.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Current Tabs.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Favicons.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/History.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Last Session.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Last Tabs.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Preferences.+_
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Shortcuts.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Top Sites.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Visited Links.+
/Documents and Settings/.+/Local Settings/Application Data/Google/Chrome/User Data/Default/Web Data.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Cookies.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Current Session.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Current Tabs.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Favicons.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/History.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Last Session.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Last Tabs.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Preferences.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Shortcuts.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Top Sites.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Bookmarks.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Visited Links.+
/Users/.+/AppData/Local/Google/Chrome/User Data/Default/Web Data.+
###############
# Firefox Browser history artifacts
###############
/Documents And Settings/.+/Application Data/Mozilla/Firefox/Profiles/.+/.+[.]sqlite
/Users/.+/AppData/Roaming/Mozilla/Firefox/Profiles/.+/.+[.]sqlite
###############
# Users Registry hives & associated logs
###############
/Documents and Settings/.*/ntuser[.]dat
/Users/.*/AppData/Local/Microsoft/Windows/UsrClass[.]dat
/Users/.*/AppData/Local/Microsoft/Windows/UsrClass[.]dat[.]LOG[1-9]
/Users/.*/ntuser[.]dat
/Users/.*/ntuser[.]dat[.]LOG[1-9]
###############
# Recent file activity
###############
/Documents And Settings/.+/Recent/.+[.]LNK
/Documents And Settings/.+/Desktop/.+[.]LNK
/Users/.+/AppData/Local/ConnectedDevicesPlatform/.+/ActivitiesCache.db
/Users/.+/AppData/Local/Microsoft/Windows/Explorer/thumbcache_.+.db
/Users/.+/AppData/Roaming/Microsoft/Office/Recent/.+[.]LNK
/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/.+[.]LNK
/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Automaticdestinations/.+[.]automaticDestinations-ms
/Users/.+/AppData/Roaming/Microsoft/Windows/Recent/Customdestinations/.+[.]customDestinations-ms
/Users/.+/Desktop/.+[.]LNK
###############
# Chat client artifacts
###############
###############
# Skype client artifacts
###############
/Users/.+/AppData/Local/Packages/Microsoft.SkypeApp_.+/LocalState/.+/main.db
/Documents and Settings/.+/Application Data/Skype/.+/main.db
###############
# Email - currently only Outlook
###############
/Documents and Settings/.+/Local Settings/Application Data/Microsoft/Outlook/.+[.]pst
/Documents and Settings/.+/Local Settings/Application Data/Microsoft/Outlook/.+[.]ost
/Users/.+/AppData/Local/Microsoft/Outlook/.+[.]pst
/Users/.+/AppData/Local/Microsoft/Outlook/.+[.]ost
###############
# User Documents
###############
/Users/.+/Desktop/.+
/Users/.+/Documents/.+
/Users/.+/Downloads/.+
/Users/.+/Dropbox.+/.+
You can’t perform that action at this time.