Available Artifacts - Evidence of Execution Updated

Since my original post a couple of months ago there have been new discoveries, additional suggestions and some error corrections. These things combined warranted an update to the spreadsheet and original post.

The I want to take the opportunity to thank the following people who have directly or indirectly contributed to the update:

Maxim Suhanov (@errno_fail) for his great work on Syscache.hve
David Cowen (@HECFBlog) for the work put into his Test Kitchen Series and investigation of Syscache.hve and what OSs it is available within
Phill Moore (@phillmoore) for correcting entries as they relate to the availability of SRUM
Hadar Yudovich (@hadar0x) for his suggestion of Application Experience Program Telemetry
Matt (@mattnotmax) for his suggestion of CCM_RecentlyUsedApps
Eric Zimmerman (@EricRZimmerman) for his suggestion of further useful tools (yet to be written up!)
proneer for their comment with multiple suggestions

I have updated the original blog post, and spreadsheet with corrections, and to include the following artifacts:

• CCM_RecentlyUsedApps
• Application Experience Program Telemetry
• IconCache.db
• Windows Error Reporting (WER)
• Syscache.hve

The post is still barebones with a bit of additional writeup work to do and the extra artifacts in the spreadsheet has added a lot more 'TBC' cells, but I hope to get more of it complete over time.