AKA Extracted Artifacts

The following is a list of artifacts extracted from the input evidence by AKA. The list is presented in no particular order.

System Files

Master File Table

From the filesystem root

• $MFT

Journal File

From the filesystem root

• $UsnJrnl

Registry Files

From system32/config

• SAM
• SOFTWARE
• SYSTEM
• SECURITY From Windows/appcompat
• Amcache.hve

Event Logs

From winevt/logs

• All .evtx files

USB logs

From windows/inf

• SetupApi files

WBEM

From System32/wbem

• The entire Repository folder

Prefetch

From windows/prefetch

• All .pf files

Antivirus

From ProgramData

• McAfee logs
• Symantec logs
• Windows Defender logs

User files

From each /Users/* folder

• All Thumbcache files
• All Lnk files
• NTUSER.DAT
• UserClass.DAT
• Jumplit files (automaticdestination-ms/customdestination-ms)