Windows: Filesystem
Filesystem
The core NTFS metadata file recording every file and directory on a volume, including timestamps, sizes, and resident data streams.
Filesystem
Persistent log of all file and directory changes on an NTFS volume, capturing create, delete, rename, and data modification events.
Filesystem
NTFS B-tree directory index that can retain references to deleted files in slack space, revealing historical directory contents.
Filesystem
NTFS journaling file that records metadata transactions for filesystem recovery, useful for reconstructing recent file operations.
Filesystem
Point-in-time snapshots of entire volumes that preserve previous versions of files, often containing evidence deleted from the live filesystem.
Filesystem
Metadata ($I) and content ($R) files in the Recycle Bin that record original paths, deletion timestamps, and file sizes for deleted items.
Filesystem
System-level snapshots preserving registry hives, system files, and configuration state prior to significant system changes.
Windows: Execution
Execution
Windows prefetch files (.pf) that record application execution with timestamps, run counts, and referenced DLLs and files.
Execution
Application compatibility cache stored in the SYSTEM registry hive, tracking executables that have been run or inspected by the OS.
Execution
Registry hive tracking application execution, installed programs, drivers, and shortcuts with SHA-1 hashes and file metadata.
Execution
ESE database tracking per-application CPU time, network bytes, and energy usage over 30-60 days with hourly granularity.
Execution
Extensible Storage Engine database containing indexed metadata and partial content of files, emails, and messages across the system.
Execution
ROT13-encoded registry entries tracking GUI program execution counts and last-run timestamps for each user profile.
Registry keys recording full paths and last execution timestamps of background applications, available on Windows 10+.
Execution
Shell link files containing target paths, MAC timestamps, volume serial numbers, and machine IDs for accessed files and applications.
Execution
Automatic and custom destination files linking applications to recently and frequently accessed files via embedded LNK data.
Execution
XML task definitions in System32\Tasks recording triggers, actions, security contexts, and creation metadata for persistence mechanisms.
Windows: Registry
Registry
Per-user registry hive containing software settings, recent documents, run keys, search history, and mapped network drives.
Registry
Registry hive storing local user accounts, password hashes, group memberships, login counts, and last login timestamps.
Registry
Machine-wide registry hive containing hardware configuration, services, drivers, mounted devices, and network interface settings.
Registry
System-wide registry hive recording installed software, OS version, networking configuration, and persistence autorun entries.
Registry
Per-user registry hive containing COM class registrations, file associations, ShellBags, and virtualized registry data.
Registry
Registry entries preserving Explorer folder view preferences that reveal historical folder access, including deleted and removable media paths.
Registry
Registry keys tracking recently opened files, typed paths, run commands, and search terms ordered by access recency.
Registry
Registry keys recording paths and URLs manually typed into Explorer and Internet Explorer address bars by the user.
Windows: Event Logs
Event Logs
Primary Windows audit log capturing logon events, privilege use, object access, policy changes, and account management activities.
Event Logs
System-level event log recording service start/stop events, driver failures, time changes, and hardware errors.
Event Logs
Detailed PowerShell execution logging including script block contents, module loading, and command invocation with full parameter capture.
Event Logs
Sysinternals driver logging process creation, network connections, file creation, registry changes, and DNS queries with hash values.
Event Logs
Remote Desktop Protocol logs across Security, TerminalServices, and RemoteConnectionManager channels tracking lateral movement sessions.
Event Logs
Event log recording scheduled task registration, execution, completion, and failure events used to detect persistence mechanisms.
Event Logs
High-performance kernel and user-mode tracing infrastructure providing granular process, network, and file I/O telemetry.
Windows: Browser
Browser
SQLite databases and LevelDB stores containing browsing history, downloads, cookies, autofill, saved passwords, and session data.
Browser
SQLite database storing browsing history, bookmarks, download records, and input history with precise visit timestamps.
Browser
ESE database used by legacy Edge and IE containing cached URLs, cookies, download history, and DOM storage records.
Windows: Email
Offline (OST) and personal (PST) storage files containing email messages, attachments, calendar entries, contacts, and tasks.
Email
Message tracking, SMTP protocol, OWA/ECP IIS, and admin audit logs capturing email flow, web access, and administrative actions.
Windows: Network
Network
In-memory DNS resolver cache and static HOSTS file entries revealing recently resolved domain names and potential DNS hijacking.
Network
Text-based log recording allowed and dropped connections with source/destination IPs, ports, protocols, and packet sizes.
Network
Registry and policy-defined firewall rules revealing allowed applications, port exceptions, and potential attacker-created allow rules.
Network
Registry and event log records of wireless network connections including SSIDs, connection timestamps, and network profiles.
Network
Registry keys, setupapi logs, and event logs tracking USB device connections with serial numbers, first/last connect times, and drive letters.
Windows: Memory
Memory
Virtual memory paging file containing swapped-out memory pages that may preserve process data, credentials, and malware artifacts.
Compressed full or partial memory dump written during hibernation or fast startup, enabling offline RAM analysis.
Memory
Kernel and minidump files generated during system crashes containing memory snapshots, loaded drivers, and stack traces.
Windows: Other
Other
Registry service configurations and System event log entries tracking service installations, failures, and state changes.
Other
Print spooler event logs and spool files recording print job metadata, document names, users, and printer targets.
Other
Domain and local group policies defining security settings, software deployment, logon scripts, and registry modifications.
Other
Windows vault storing encrypted web and Windows credentials including saved passwords, certificates, and generic credentials.
Other
Access tokens and Kerberos tickets associated with user sessions, revealing privilege levels, group memberships, and impersonation activity.
macOS
macOS
Centralized logging framework capturing system, application, and kernel messages with nanosecond timestamps and structured metadata.
macOS
macOS filesystem event store recording file and directory changes with event IDs, flags, and paths across all mounted volumes.
macOS
Indexed file metadata store containing content types, creation dates, authors, and extracted text for rapid search across the filesystem.
macOS
SQLite database tracking application usage, device activity, screen time, media playback, and Safari browsing history with timestamps.
macOS
Apple diagnostic data recording application launch counts, CPU usage, and execution metrics aggregated over daily intervals.
Transparency, Consent, and Control database recording application access grants for camera, microphone, disk, contacts, and location.
macOS
Encrypted credential store containing passwords, certificates, encryption keys, and secure notes with access control lists per entry.
macOS
SQLite databases storing browsing history, downloads, bookmarks, tabs, and extension data with visit counts and timestamps.
macOS
SQLite database recording files downloaded from the internet with source URLs, download timestamps, and originating applications.
APFS filesystem snapshots and Time Machine backups providing point-in-time recovery and historical file state comparison.
macOS
Trust certificates created when iOS devices are paired with a Mac, enabling forensic imaging and revealing device connection history.
macOS
Per-application log files in ~/Library/Logs and /var/log recording application-specific events, errors, and diagnostic data.
Property list files storing application preferences, system configuration, launch agents/daemons, and login items.
macOS
System and application preferences tracking recently opened applications, documents, and servers accessed by the user.
Plist files recording paired Bluetooth devices with MAC addresses, device names, pairing dates, and connection history.
macOS
Wireless network configuration profiles storing SSIDs, security types, auto-join preferences, and connection timestamps.
macOS
Shell history files (.bash_history, .zsh_history) recording command-line activity with optional timestamps for each user.
macOS
CUPS print system logs and spool files recording print job submissions, document names, page counts, and destination printers.
macOS
Application and system crash logs containing stack traces, thread states, loaded libraries, and exception details for crashed processes.
macOS
Application Layer Firewall logs recording allowed and blocked connections with process names, directions, and socket details.
macOS
System network preferences recording interface configurations, DNS servers, proxy settings, VPN profiles, and routing tables.
macOS
IOKit registry and system logs tracking USB device connections with vendor IDs, product IDs, serial numbers, and mount points.
macOS
Thumbnail and preview cache database preserving rendered previews of files even after the original files have been deleted.
macOS
Plist files recording network servers accessed via Finder including SMB, AFP, FTP, and WebDAV connection URLs.
macOS
SQLite database storing delivered notifications from applications with timestamps, content previews, and application bundle identifiers.
macOS
Saved Automator workflow files (.workflow) and quick actions that can automate system tasks and potentially serve as persistence mechanisms.
macOS
Apple Mail SQLite index and emlx files containing email headers, body content, attachments, and account configuration metadata.
Linux
Linux
Authentication log recording login attempts, SSH sessions, sudo usage, PAM events, and user account changes.
Linux
General system log aggregating messages from daemons, kernel, and applications with facility and severity classifications.
Linux
Binary login accounting files tracking successful logins (wtmp), failed attempts (btmp), and per-user last login records (lastlog).
Shell command history files recording user-executed commands with optional timestamps, revealing attacker activity and lateral movement.
Linux
Binary structured log managed by journald with indexed fields, boot sessions, and service-level log isolation.
Linux
Linux Audit Framework logs capturing syscalls, file access, user commands, and security-relevant events with configurable rules.
Linux
Virtual filesystem exposing live kernel and process state including command lines, memory maps, network connections, and file descriptors.
Linux
Cron daemon logs and user/system crontab files recording scheduled task execution, modifications, and persistence entries.
Linux
APT, YUM, DNF, and Pacman logs recording package installations, updates, removals, and repository changes with timestamps.
Linux
HTTP access logs recording client IPs, request methods, URIs, response codes, user agents, and referrers for web traffic analysis.
Linux
Web server error logs capturing application exceptions, configuration issues, and failed request details useful for exploit detection.
Linux
System Activity Reporter binary data files recording CPU, memory, disk I/O, and network statistics at regular intervals.
Linux
Kernel ring buffer and kern.log messages recording hardware events, driver activity, OOM kills, and security module alerts.
Linux
OpenSSH daemon logs in auth.log capturing connection attempts, key exchanges, authentication methods, and session details.
Critical configuration files including passwd, shadow, sudoers, hosts, resolv.conf, and network interfaces for baseline comparison.
Linux
Sudo command logging in auth.log and optional sudoers I/O logging capturing privilege escalation attempts and administrative commands.
Linux
Mandatory access control logs recording policy violations, denied operations, and security context transitions for confined processes.
Linux
X.org server logs and Xauthority files recording display server events, connected clients, and authentication cookies.
Linux
Postfix, Sendmail, and Dovecot logs recording email delivery, relay attempts, authentication events, and queue processing.
Linux
Shell initialization files that execute on login or shell start, commonly modified for persistence via aliases, functions, or backdoor commands.
Linux
Docker daemon logs, container stdout/stderr, and overlay filesystem layers recording containerized application activity and configuration.
Linux
BIND, Unbound, and systemd-resolved query logs recording DNS resolution requests, responses, and cache behavior.
Linux
Samba SMB/CIFS server logs recording file share access, authentication events, and protocol negotiation details.
Linux
KVM/QEMU, libvirt, and VMware ESXi logs recording virtual machine lifecycle events, resource allocation, and guest interactions.
Linux
SSH key pairs, authorized_keys files, known_hosts entries, and client/server configuration revealing trust relationships and access patterns.
Linux
Kernel parameter configuration in /etc/sysctl.conf and /proc/sys revealing IP forwarding, ASLR, and other security-relevant tuning.
Linux
SNMP daemon logs recording management queries, community string usage, trap events, and network device monitoring activity.
Linux
LDAP directory server logs recording bind operations, search queries, modifications, and access control decisions.
Linux
Web server configuration files defining virtual hosts, SSL settings, access controls, and module configurations for baseline analysis.
Mobile
Mobile
Comprehensive diagnostic archive containing system logs, crash reports, network state, and process information from iOS devices.
Mobile
Trust pairing records enabling USB communication between iOS devices and host computers, critical for device imaging authorization.
Mobile
HealthKit SQLite database and XML exports containing step counts, heart rate, location-correlated workouts, and device sensor data.
Mobile
Screen Time database tracking per-app usage durations, notification counts, device pickups, and website visit frequencies.
Mobile
Location databases recording GPS coordinates, cell tower connections, Wi-Fi positioning, and significant location history.
Mobile
Android system log capturing application messages, system events, crash traces, and debug output across multiple ring buffers.
Mobile
Per-application SQLite databases storing contacts, call logs, SMS/MMS, browser history, and app-specific structured data.
Mobile
Android Debug Bridge backup mechanisms and extraction techniques for acquiring application data, shared storage, and system partitions.
Mobile
SQLite database containing SMS and MMS messages with timestamps, phone numbers, message bodies, and delivery status records.
Cloud / SaaS
Cloud
Microsoft 365 centralized audit log capturing Exchange, SharePoint, Teams, Azure AD, and compliance activities across the tenant.
Cloud
Entra ID authentication logs recording sign-in attempts, MFA challenges, conditional access evaluations, and token issuance events.
Cloud
SharePoint Online audit events tracking file access, sharing changes, permission modifications, and site administration actions.
Cloud
Google Workspace admin and user activity logs covering Drive, Gmail, Calendar, and admin console operations with detailed event parameters.
Cloud
AWS API activity log recording management and data events across all services with caller identity, IP, and request parameters.
Cloud
Google Cloud audit logs capturing admin activity, data access, system events, and policy denied events across GCP projects.
OT / ICS / SCADA
OT/ICS
Industrial process data historians storing time-series sensor readings, setpoint changes, alarm events, and operator actions.
OT/ICS
Programmable Logic Controller project exports containing ladder logic, function blocks, I/O configurations, and firmware metadata.
OT/ICS
Network security monitor logs parsing protocol-level metadata for HTTP, DNS, SSL, SMB, and industrial protocols from captured traffic.
OT/ICS
Full packet captures and flow records providing complete network traffic reconstruction and connection-level metadata analysis.
OT/ICS
Industrial protocol captures recording register reads/writes, control commands, and device communications on SCADA networks.
OT/ICS
Human-Machine Interface event and alarm logs recording operator interactions, setpoint changes, and process alarm histories.
Network
Network
DNS server query and response logs recording resolution requests, NXDOMAIN responses, and recursive/authoritative query patterns.
Network
Forward and reverse proxy logs recording HTTP/HTTPS requests with URLs, user agents, response codes, and content categories.
Network
Perimeter and internal firewall logs recording allowed, denied, and dropped traffic with 5-tuple flow data and rule hit counts.
Network
Certificate Transparency logs and TLS inspection records revealing certificate chains, issuers, validity periods, and potential MITM indicators.
Network
DHCP server lease records mapping IP addresses to MAC addresses, hostnames, and lease duration for device identification and tracking.