diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index c63b445..9f396ed 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -10,6 +10,7 @@ Special thanks to those who have contributed to this Batch file: * [Reece394](https://github.com/reece394) * [esecrpm](https://github.com/esecrpm) * [ogmini](https://github.com/ogmini) +* [Evangelos Dragonas (@theAtropos4n6)](https://github.com/theAtropos4n6) # Version History @@ -68,6 +69,7 @@ Example entry, please follow this format: | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts | | 2.18 | 2025-09-01 | Added ConsentStore Artifacts | | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | +| 2.20 | 2025-10-03 | Added PuTTY, CCleaner, File Shredder, Splashtop Artifacts | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index fc5f855..eb56cbc 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,6 +1,6 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.19 +Version: 2.20 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 Keys: # @@ -3347,8 +3347,30 @@ Keys: KeyPath: CurrentControlSet\Services\SSUService Recursive: true Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Splashtop Inc. + Recursive: true + Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\Splashtop Inc. + Recursive: true + Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater + Recursive: true + Comment: "Displays artifacts relating to Splashtop" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf +# https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects # Third Party Applications -> TeamViewer - https://www.teamviewer.com/en-us/ @@ -3379,6 +3401,43 @@ Keys: Comment: "Displays artifacts relating to TightVNC" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf +# Third Party Applications -> PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/ + + - + Description: PuTTY + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\SimonTatham\PuTTY + Recursive: true + Comment: "Displays artifacts relating to PuTTY" + +# https://docs.velociraptor.app/artifact_references/pages/windows.registry.puttyhostkeys/ + +# Third Party Applications -> CCleaner - https://www.ccleaner.com/ + + - + Description: CCleaner + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Piriform\CCleaner + Recursive: true + Comment: "Displays artifacts relating to CCleaner" + +# https://www.synacktiv.com/publications/ccleaner-forensics +# https://www.magnetforensics.com/resources/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/ + +# Third Party Applications -> File Shredder - fileshredder.org + + - + Description: File Shredder + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Shredder + Recursive: true + Comment: "Displays artifacts relating to File Shredder" + +# N/A + # Third Party Applications -> FileZilla - https://filezilla-project.org/ -