Windows Environment - nurit-cyber/Windows-Evidence GitHub Wiki

Tools Used

Image/Video Forensics

Thumbcache Viewer by Eric Kutcher
PECmd version 1.4.0.0 by Eric Zimmerman
RBCmd version 0.5.0.0 by Eric Zimmerman
yara v4.0.5-1554-win64 by Victor Alvarez

USB Device Forensics

USBDeview v3.01 by Nirsoft

Web Browser Forensics

BrowsingHistoryView v2.47 by Nirsoft

Environment

The environment that was used for data generation was a Windows 10 virtual machine downloaded directly from Microsoft's website for VMWare workstation.

Edition: Windows 10 Enterprise Evaluation
Version: 20H2
OS build: 19042.804
System Type: 64-bit operating system, x64-based processor