| Registry branches of forensic interest. |
HKEY_USERS\<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Faceook.Facebook_8xx8rvfyw5nnt\Facebook.Facebook_1.4.0.9_x64_8xx8rvfyw5nnt
|
HKEY_USERS \<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.SkypeApp_kzf8qxf38zg5c\Microsoft.SkypeApp_2.0.0.5011_x86__kzf8qxf38zg5c
|
|
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
HKEY_USERS\<SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.SkypeApp_kzf8qxf38zg5c\PersistedStorageItemTable\ManagedByApp\<GUID>
|
|
|
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs |
| Directory paths/files of forensic interest |
%AppData%\Local\Temp\winstore.log
|
%AppData%\Local\Temp\winstore.log
|
|
%AppData%\Local\Packages\winstore_cw5n1h2txyewy\AC\Temp\winstore.log
|
%AppData%\Local\Packages\winstore_cw5n1h2txyewy\AC\Temp\winstore.log
|
|
Analytics.sqlite, FriendRequest.sqlite, Friends.sqlite, Messages.sqlite, Notifications.sqlite, and Stories.sqlite databases stored in %AppData%\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\<User-specific Facebook ID>\DB\
|
User-specific %AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\main.db
|
|
Caches of the downloaded files stored in %AppData%\Local\Packages\Package ID\AC\INetCache\Cache ID\
|
%AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\shared.xml
|
|
|
%AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\Chatsync\
|
|
|
%AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\avatars\
|
|
|
%Downloads%\Microsoft.SkypeApp_kzf8qxf38zg5c!App\
|
|
|
%AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\ReceiveStorage\
|
|
|
%AppData%\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype name>\SendingStorage\
|
|
|
APPCONTENT-MS files located in %Appdata%\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\6e4f9dff0b76dd9b\120712–0049\People\AddressBook\ and %Appdata%\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Indexed\LiveComm\6e4f9dff0b76dd9b\120712–0049\People\Me\
|
| Prefetch files |
FACEBOOK.EXE.pf |
WWAHOST.EXE.pf |
|
|
DLLHOST.EXE.pf |
| Link files |
Located link files for the transferred or downloaded files in %\AppData\Roaming \Microsoft\Windows\Recent\
|
Located link files for the login page as well as the transferred or downloaded files in %\AppData\Roaming \Microsoft\Windows\Recent\
|
| Thumbcache files |
Thumbnail images for the transferred or downloaded files |
Thumbnail images for the transferred or downloaded files |
|
Profile pictures of the user and the contacts |
Avatars of the user and the contacts |
| Swap files and physical memory dumps |
Copies of the files of forensic interest as well as transferred or downloaded files unencrypted |
Copies of the files of forensic interest as well as transferred or downloaded files in plain text |
|
Filename and path references for the files of forensic interest and transferred or downloaded files |
Filename and path references for the files of forensic interest and transferred or downloaded files |
|
The process name could be discerned from ‘Facebook.exe’ |
Payload headers for the IM and file transfer threads |
|
|
The process name could be discerned from ‘WWAHost.exe’ |
| Unallocated space |
Copies of the files of forensic interest as well as transferred or downloaded file in plain text |
Copies of the files of forensic interest as well as transferred or downloaded file in plain text |
|
Filename and path references for the files of forensic interest and transferred or downloaded files |
Filename and path references for the files of forensic interest and transferred or downloaded files |
| Network traffic |
Host and servers’ IP addresses |
Host and servers’ IP addresses |
|
Associated timestamps |
Host and correspondents’ IP addresses |
|
Web documents and image files from the HTTP sites. |
Associated timestamps |
|
|
Web documents and image files from the HTTP sites. |
