Available Artifacts - Evidence of Execution Updated

Since my original post a couple of months ago there have been new discoveries, additional suggestions and some error corrections. These things combined warranted an update to the spreadsheet and original post. 

The I want to take the opportunity to thank the following people who have directly or indirectly contributed to the update:

  • Maxim Suhanov (@errno_fail) for his great work on Syscache.hve
  • David Cowen (@HECFBlog) for the work put into his Test Kitchen Series and investigation of Syscache.hve and what OSs it is available within
  • Phill Moore (@phillmoore) for correcting entries as they relate to the availability of SRUM
  • Hadar Yudovich (@hadar0x) for his suggestion of Application Experience Program Telemetry
  • Matt (@mattnotmax) for his suggestion of CCM_RecentlyUsedApps
  • Eric Zimmerman (@EricRZimmerman) for his suggestion of further useful tools (yet to be written up!)
  • proneer for their comment with multiple suggestions

I have updated the original blog post, and spreadsheet with corrections, and to include the following artifacts:
  • CCM_RecentlyUsedApps
  • Application Experience Program Telemetry
  • IconCache.db
  • Windows Error Reporting (WER)
  • Syscache.hve

The post is still barebones with a bit of additional writeup work to do and the extra artifacts in the spreadsheet has added a lot more 'TBC' cells, but I hope to get more of it complete over time.

1 comment:

  1. I just pointed you to Dave's test kitchen where he found the SRUM stuff. That's all him