| Artifact | Data Stored | Exec | Create | Delete | Persist | User | Net | Timestomp | MITRE | Tools | Location |
|---|---|---|---|---|---|---|---|---|---|---|---|
| MFT ($MFT) | File records, MACB timestamps, attributes | ⚠ | ✅ | ⚠ | ⚠ | ⚠ | ❌ | ✅ | T1070 / T1564 | MFTECmd.exe -f C:\$MFT --csv out\ | NTFS metadata file |
| USN Journal | File change records | ⚠ | ✅ | ✅ | ⚠ | ⚠ | ❌ | ⚠ | T1070 | MFTECmd.exe -f C:\$Extend\$UsnJrnl:$J --csv out\ | NTFS change journal |
| $LogFile | File system transactions | ⚠ | ✅ | ✅ | ❌ | ❌ | ❌ | ⚠ | T1070 | LogFileParser.exe -f C:\$LogFile --csv out\ | NTFS transaction log |
| Prefetch | Execution metadata, run count, DLLs | ✅ | ❌ | ❌ | ❌ | ⚠ | ❌ | ❌ | T1059 | PECmd.exe -d C:\Windows\Prefetch --csv out\ | C:\Windows\Prefetch |
| Amcache | File metadata, hashes, signatures | ✅ | ⚠ | ❌ | ❌ | ⚠ | ❌ | ❌ | T1204 | AmcacheParser.exe -f Amcache.hve --csv out\ | C:\Windows\AppCompat\Programs |
| ShimCache | Program paths, execution flags | ⚠ | ❌ | ❌ | ❌ | ⚠ | ❌ | ❌ | T1204 | AppCompatCacheParser.exe -f SYSTEM --csv out\ | HKLM\SYSTEM\AppCompatCache |
| UserAssist | GUI execution history | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | T1204 | RECmd.exe -f NTUSER.DAT --bn UserAssist\ | HKCU...\UserAssist |
| RunMRU | Run dialog commands | ⚠ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | T1059 | RECmd.exe -f NTUSER.DAT --bn RunMRU\ | HKCU...\RunMRU |
| Jump Lists | Recent file interactions | ⚠ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | T1083 | JLECmd.exe -d %AppData%\Recent --csv out\ | %AppData%\Microsoft\Windows\Recent |
| LNK Files | Target path, timestamps | ⚠ | ❌ | ❌ | ❌ | ✅ | ❌ | ⚠ | T1204 | LECmd.exe -d C:\Users\ --csv out\ | Desktop / Recent |
| ShellBags | Folder access metadata | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | T1083 | SBECmd.exe -d C:\Users\ --csv out\ | NTUSER.DAT / UsrClass.dat |
| Recycle Bin | Deleted file metadata | ❌ | ❌ | ✅ | ❌ | ⚠ | ❌ | ⚠ | T1070 | RBCmd.exe -d C:\$Recycle.Bin --csv out\ | C:$Recycle.Bin |
| Run Keys | Autorun entries | ❌ | ❌ | ❌ | ✅ | ⚠ | ❌ | ❌ | T1547.001 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Registry Run keys |
| Scheduled Tasks | Task definitions, triggers | ⚠ | ❌ | ❌ | ✅ | ⚠ | ❌ | ❌ | T1053.005 | schtasks /query /fo LIST /v | C:\Windows\System32\Tasks |
| Services | Service configs, ImagePath | ⚠ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | T1543.003 | sc query type= service state= all | HKLM\SYSTEM\Services |
| WMI Subscriptions | Persistent event consumers | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | T1546.003 | wmic /namespace:\\root\subscription PATH __EventFilter | root\subscription |
| Security 4688 | Process creation logs | ✅ | ❌ | ❌ | ❌ | ⚠ | ⚠ | ❌ | T1059 | EvtxECmd.exe -f Security.evtx --csv out\ | C:\Windows\System32\winevt\Logs |
| Sysmon ID 1 | Process creation + hash | ✅ | ❌ | ❌ | ❌ | ⚠ | ⚠ | ❌ | T1059 | EvtxECmd.exe -f Sysmon.evtx --csv out\ | Sysmon Operational log |
| Sysmon ID 3 | Network connections | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | T1105 | EvtxECmd.exe -f Sysmon.evtx --csv out\ | Sysmon Operational log |
| PowerShell 4104 | Script block content | ✅ | ❌ | ❌ | ❌ | ⚠ | ⚠ | ❌ | T1059.001 | Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | PowerShell log |
| RDP 1149 | RDP logon events | ⚠ | ❌ | ❌ | ❌ | ✅ | ⚠ | ❌ | T1021.001 | EvtxECmd.exe -f TerminalServices.evtx --csv out\ | TerminalServices log |
| Kerberos 4768/4769 | TGT/TGS activity | ❌ | ❌ | ❌ | ❌ | ⚠ | ⚠ | ❌ | T1558 | EvtxECmd.exe -f Security.evtx --csv out\ | Security log (DC) |
| SRUM | App resource + network usage | ⚠ | ❌ | ❌ | ❌ | ⚠ | ✅ | ❌ | T1105 | SrumECmd.exe -f SRUDB.dat --csv out\ | C:\Windows\System32\sru |
| BITS | Background transfers | ⚠ | ❌ | ❌ | ⚠ | ❌ | ✅ | ❌ | T1197 | bitsadmin /list /allusers /verbose | qmgr.db |
| Firewall Logs | Allowed/blocked connections | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | T1046 | Get-Content C:\Windows\System32\LogFiles\Firewall\pfirewall.log | Firewall log |
| DNS Cache | Recently resolved domains | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | T1071 | ipconfig /displaydns | Volatile memory |
| LSASS Memory | Credentials, tickets | ⚠ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | T1003 | vol.py -f memdump.raw windows.lsadump | RAM |
| NTDS.dit | AD database | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | T1003.003 | ntdsutil "activate instance ntds" | C:\Windows\NTDS |
General Rules for Timestamps in the Windows NTFS File System
The table below delineates the general rules governing how various file operations influence the timestamps within the Windows NTFS (New Technology File System).
| Operation | Modified | Accessed | Birth (Created) |
|---|---|---|---|
| File Create | Yes | Yes | Yes |
| File Modify | Yes | No | No |
| File Copy | No (Inherited) | Yes | Yes |
| File Access | No | No* | No |
-
File Create:
Modified Timestamp (M): The Modified timestamp is updated to reflect the time of file creation.Accessed Timestamp (A): The Accessed timestamp is updated to reflect that the file was accessed at the time of creation.Birth (Created) Timestamp (b): The Birth timestamp is set to the time of file creation.
-
File Modify:
Modified Timestamp (M): The Modified timestamp is updated to reflect the time when the file's content or attributes were last modified.Accessed Timestamp (A): The Accessed timestamp is not updated when the file is modified.Birth (Created) Timestamp (b): The Birth timestamp is not updated when the file is modified.
-
File Copy:
Modified Timestamp (M): The Modified timestamp is typically not updated when a file is copied. It usually inherits the timestamp from the source file.Accessed Timestamp (A): The Accessed timestamp is updated to reflect that the file was accessed at the time of copying.Birth (Created) Timestamp (b): The Birth timestamp is updated to the time of copying, indicating when the copy was created.
-
File Access:
Modified Timestamp (M): The Modified timestamp is not updated when the file is accessed.Accessed Timestamp (A): The Accessed timestamp is updated to reflect the time of access.Birth (Created) Timestamp (b): The Birth timestamp is not updated when the file is accessed.