diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index 3da6ded..c63b445 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -67,6 +67,7 @@ Example entry, please follow this format: | 2.16 | 2025-07-18 | Added More User.dat Windows Store UWP Artifacts - Network Share and WordPad | | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts | | 2.18 | 2025-09-01 | Added ConsentStore Artifacts | +| 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | # Documentation @@ -85,6 +86,5 @@ As of May 2024, the following plugins are not being leveraged: * [DHCPNetworkHint](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.DHCPNetworkHint) * [FeatureUsage](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.FeatureUsage) -* [IconLayouts](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.IconLayouts) * [NetworkSettings](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.NetworkSettings) * [TaskFlowShellActivities](https://github.com/EricZimmerman/RegistryPlugins/blob/master/RegistryPlugin.TaskFlowShellActivities/TaskFlowShellActivities.cs) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index a0b64e7..fc5f855 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,6 +1,6 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.18 +Version: 2.19 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 Keys: # @@ -2570,6 +2570,20 @@ Keys: # https://www.cyberengage.org/post/registry-system-configiuration-tracking-microphone-and-camera-usage-in-windows-program-execution +# User Activity -> Desktop IconLayouts + + - + Description: Desktop IconLayouts + HiveType: NTUSER + Category: User Activity + KeyPath: Software\Microsoft\Windows\Shell\Bags\1\Desktop + Recursive: false + Comment: "Displays the desktop icon layout, Observed in Windows 11 to be arranged from top to bottom in columns from the top left of the screen." + +# IconLayouts plugin - https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.IconLayouts +# In Windows 11 icons appear from the top left of the screen, filling downwards, then moving to the next column going from left to right. +# https://github.com/kacos2000/Win10/blob/master/Desktop_IconLayouts.pdf + # -------------------- # AUTORUNS # -------------------- @@ -3471,6 +3485,26 @@ Keys: Recursive: true Comment: "Displays artifacts relating to Angry IP Scanner" +# Third Party Applications -> DB Browser for SQLite - https://sqlitebrowser.org/ + + - + Description: DB Browser for SQLite + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\sqlitebrowser\sqlitebrowser + Recursive: true + Comment: "Displays artifacts relating to DB Browser for SQLite" + +# Third Party Applications -> WinMerge - https://winmerge.org/ + + - + Description: WinMerge + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Thingamahoochie\WinMerge + Recursive: true + Comment: "Displays artifacts relating to WinMerge" + # -------------------- # CLOUD STORAGE # --------------------