From abb95cb02bdd38f936bd2d430167461f182206c6 Mon Sep 17 00:00:00 2001 From: "theAtropos4n6 (Evangelos D.)" <70748441+theAtropos4n6@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:50:23 +0300 Subject: [PATCH 1/3] Added Putty Artifacts Added Putty NTUSER Artifacts --- BatchExamples/DFIRBatch.md | 2 ++ BatchExamples/DFIRBatch.reb | 14 +++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index c63b445..2f5bd6b 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -10,6 +10,7 @@ Special thanks to those who have contributed to this Batch file: * [Reece394](https://github.com/reece394) * [esecrpm](https://github.com/esecrpm) * [ogmini](https://github.com/ogmini) +* [Evangelos Dragonas (@theAtropos4n6)](https://github.com/theAtropos4n6) # Version History @@ -68,6 +69,7 @@ Example entry, please follow this format: | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts | | 2.18 | 2025-09-01 | Added ConsentStore Artifacts | | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | +| 2.20 | 2025-10-03 | Added Putty Artifacts | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index fc5f855..2fd56af 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,6 +1,6 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun -Version: 2.19 +Version: 2.20 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 Keys: # @@ -3379,6 +3379,18 @@ Keys: Comment: "Displays artifacts relating to TightVNC" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf +# Third Party Applications -> PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/ + + - + Description: PuTTY + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\SimonTatham\PuTTY + Recursive: true + Comment: "Displays artifacts relating to PuTTY" + +# https://docs.velociraptor.app/artifact_references/pages/windows.registry.puttyhostkeys/ + # Third Party Applications -> FileZilla - https://filezilla-project.org/ - From 078680b3108b37f459f825d0558068535bf7d1df Mon Sep 17 00:00:00 2001 From: "theAtropos4n6 (Evangelos D.)" <70748441+theAtropos4n6@users.noreply.github.com> Date: Fri, 3 Oct 2025 12:52:25 +0300 Subject: [PATCH 2/3] Update DFIRBatch.md --- BatchExamples/DFIRBatch.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index 2f5bd6b..40f816f 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -69,7 +69,7 @@ Example entry, please follow this format: | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts | | 2.18 | 2025-09-01 | Added ConsentStore Artifacts | | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | -| 2.20 | 2025-10-03 | Added Putty Artifacts | +| 2.20 | 2025-10-03 | Added PuTTY Artifacts | # Documentation From 206ade0e5e90059754a8473e0373a261b3be251a Mon Sep 17 00:00:00 2001 From: "theAtropos4n6 (Evangelos D.)" <70748441+theAtropos4n6@users.noreply.github.com> Date: Fri, 3 Oct 2025 13:38:00 +0300 Subject: [PATCH 3/3] Updated DFIRBatch Added CCleaner, File Shredder, and Splashtop artifacts --- BatchExamples/DFIRBatch.md | 2 +- BatchExamples/DFIRBatch.reb | 47 +++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index 40f816f..9f396ed 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -69,7 +69,7 @@ Example entry, please follow this format: | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts | | 2.18 | 2025-09-01 | Added ConsentStore Artifacts | | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts | -| 2.20 | 2025-10-03 | Added PuTTY Artifacts | +| 2.20 | 2025-10-03 | Added PuTTY, CCleaner, File Shredder, Splashtop Artifacts | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 2fd56af..eb56cbc 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -3347,8 +3347,30 @@ Keys: KeyPath: CurrentControlSet\Services\SSUService Recursive: true Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Splashtop Inc. + Recursive: true + Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\Splashtop Inc. + Recursive: true + Comment: "Displays artifacts relating to Splashtop" + - + Description: Splashtop + HiveType: SOFTWARE + Category: Third Party Applications + KeyPath: WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater + Recursive: true + Comment: "Displays artifacts relating to Splashtop" # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf +# https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects # Third Party Applications -> TeamViewer - https://www.teamviewer.com/en-us/ @@ -3391,6 +3413,31 @@ Keys: # https://docs.velociraptor.app/artifact_references/pages/windows.registry.puttyhostkeys/ +# Third Party Applications -> CCleaner - https://www.ccleaner.com/ + + - + Description: CCleaner + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Piriform\CCleaner + Recursive: true + Comment: "Displays artifacts relating to CCleaner" + +# https://www.synacktiv.com/publications/ccleaner-forensics +# https://www.magnetforensics.com/resources/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/ + +# Third Party Applications -> File Shredder - fileshredder.org + + - + Description: File Shredder + HiveType: NTUSER + Category: Third Party Applications + KeyPath: Software\Shredder + Recursive: true + Comment: "Displays artifacts relating to File Shredder" + +# N/A + # Third Party Applications -> FileZilla - https://filezilla-project.org/ -