AKA Extracted Artifacts - davepo/AKA GitHub Wiki

AKA Extracted Artifacts

The following is a list of artifacts extracted from the input evidence by AKA. The list is presented in no particular order.

System Files

Master File Table

From the filesystem root

  • $MFT

Journal File

From the filesystem root

  • $UsnJrnl

Registry Files

From system32/config

  • SAM
  • SOFTWARE
  • SYSTEM
  • SECURITY From Windows/appcompat
  • Amcache.hve

Event Logs

From winevt/logs

  • All .evtx files

USB logs

From windows/inf

  • SetupApi files

WBEM

From System32/wbem

  • The entire Repository folder

Prefetch

From windows/prefetch

  • All .pf files

Antivirus

From ProgramData

  • McAfee logs
  • Symantec logs
  • Windows Defender logs

User files

From each /Users/* folder

  • All Thumbcache files
  • All Lnk files
  • NTUSER.DAT
  • UserClass.DAT
  • Jumplit files (automaticdestination-ms/customdestination-ms)