Tag Archives: artefact locations

HTTP Cookies – Part 3 – Chrome Cookies

Posted on April 27, 2016 by HatsOffSecurity

Chrome Location Windows 7 onwards: %LocalAppData%\Google\Chrome\User Data\Default Unlike Internet Explorer (and like Firefox) Chrome does not use individual text files, but instead uses a SQLite database. In order to view this you will need a SQLite browser (easy to get … Continue reading →

Posted in Browser Forensics, Chrome, Cookies | Tagged artefact locations, basics, browser forensics, chrome, hats off security, Windows 10, windows 7, windows 8.1, Windows8 | Leave a comment

HTTP Cookies – Part 2 – Firefox

Posted on April 26, 2016 by HatsOffSecurity

Firefox Location Windows 7 and onwards %AppData%\Mozilla\Firefox\Profiles\<profile.name>\cookies.sqlite Unlike Internet Explorer (and like Chrome) Firefox does not use individual text files for storing cookies, instead it uses a SQLite database. In order to view this you will need a SQLite browser … Continue reading →

Posted in Browser Forensics, Cookies, Firefox | Tagged artefact locations, browser forensics, cookies, firefox, hats off security, Windows 10, windows 7, windows 8.1, Windows8 | Leave a comment

HTTP Cookies – Part 1 – Internet Explorer and Microsoft Edge

Posted on April 23, 2016 by HatsOffSecurity

Finding Internet Explorer/Edge Cookies (Windows 7-10… possibly Vista, but who uses Vista?!) Microsoft introduced a cool new way of finding your cookies. From the Run prompt or any Explorer window type “shell:cookies” and you will be taken to the Cookies … Continue reading →

Posted in Browser Forensics, Cookies, Internet Explorer, Microsoft Edge | Tagged artefact locations, basics, browser forensics, cookies, hats off security, internet explorer, Microsoft Edge, Windows 10, windows 7, windows 8.1, Windows8 | Leave a comment

Removing Cookies

Posted on April 23, 2016 by HatsOffSecurity

Do you know how many cookies are tracking you? Have you tried to clear the cookies only to find some things not quite gone? Well I have a product for you!… just kidding, it sounded like an advert, so I … Continue reading →

Posted in Browser Forensics, Cookies | Tagged artefact locations, browser forensics, cookies, hats off security | Leave a comment

USB Forensic “Roadmap”

Posted on February 13, 2015 by HatsOffSecurity

As I have been researching and investigating USB Forensics I put together a “Roadmap” for my own personal reference. I made it using Maltego Case File and refer to it every now and then when I am attempting to remember … Continue reading →

Posted in Cyber, Research, USB Forensics, Windows Forensics | Tagged artefact locations, hats off security, USB, windows 7, Windows Registry Forensics, Windows8 | Leave a comment

Windows XP Restore Points

Posted on January 20, 2015 by HatsOffSecurity

I know XP is going the way of the Dodo, which is why I wanted to write this post. As blogs and posts update and keep up with the latest versions of Windows I find it harder and harder to … Continue reading →

Posted in Introduction, Windows Forensics, Windows Registry Forensics, Windows XP | Tagged artefact locations, basics, hats off security, registry hives, restore points, Windows Registry Forensics, windows xp | Leave a comment

Mounted Devices Key

Posted on December 4, 2014 by HatsOffSecurity

Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading →

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged artefact locations, hats off security, registry hives, USB, windows 7, Windows Registry Forensics, Windows8 | 2 Comments

Research: Decoding LanmanServer\Shares

Posted on November 9, 2014 by HatsOffSecurity

For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading →

Posted in Cyber, Research, Shared Folders, Windows Forensics, Windows Registry Forensics | Tagged artefact locations, hats off security, registry hives, research, windows 7, windows 8.1, Windows Registry Forensics, windows xp, Windows8 | 7 Comments

Link Files

Posted on September 14, 2014 by HatsOffSecurity

Link (lnk) files are a valuable source of information in a forensic investigation and should not be casually overlooked. What are Link files? Link files are created by the system when a file is opened, even if that file is … Continue reading →

Posted in Link FIles, Windows Forensics | Tagged artefact locations, basics, hats off security, link files, windows 7, Windows8 | Leave a comment

Jump Lists

Posted on September 6, 2014 by HatsOffSecurity

What is a Jump List? A Jump List looks something like: From left to right we have; Windows Media Player Start Menu, Wordpad Internet Explorer Jump Lists were introduced in Windows 7 to allow frequently used files/tasks/webpages to be selected … Continue reading →

Posted in Jump Lists, Windows Forensics | Tagged artefact locations, hats off security, jump lists, jumplists, recent, registry hives, windows 7, Windows Registry Forensics, Windows8 | Leave a comment

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

	Bianca the Baker on NoScript Plugin Forensic Inves…
	Week 40 – 2022… on PowerShell Basic Introduction…
	ALEX on AnyDesk Forensic Analysis and…
	Week 13 – 2022… on Improving Technical Interviews
	HatsOffSecurity on AnyDesk Forensic Analysis and…