AKA Extracted Artifacts - davepo/AKA GitHub Wiki
AKA Extracted Artifacts
The following is a list of artifacts extracted from the input evidence by AKA. The list is presented in no particular order.
System Files
Master File Table
From the filesystem root
- $MFT
Journal File
From the filesystem root
- $UsnJrnl
Registry Files
From system32/config
- SAM
- SOFTWARE
- SYSTEM
- SECURITY From Windows/appcompat
- Amcache.hve
Event Logs
From winevt/logs
- All .evtx files
USB logs
From windows/inf
- SetupApi files
WBEM
From System32/wbem
- The entire Repository folder
Prefetch
From windows/prefetch
- All .pf files
Antivirus
From ProgramData
- McAfee logs
- Symantec logs
- Windows Defender logs
User files
From each /Users/* folder
- All Thumbcache files
- All Lnk files
- NTUSER.DAT
- UserClass.DAT
- Jumplit files (automaticdestination-ms/customdestination-ms)