Added PuTTY Artifacts

BatchExamples/DFIRBatch.md

@@ -10,6 +10,7 @@ Special thanks to those who have contributed to this Batch file:
 * [Reece394](https://github.com/reece394)
 * [esecrpm](https://github.com/esecrpm)
 * [ogmini](https://github.com/ogmini)
+* [Evangelos Dragonas (@theAtropos4n6)](https://github.com/theAtropos4n6)
 
 # Version History
 
@@ -68,6 +69,7 @@ Example entry, please follow this format:
 | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts |
 | 2.18 | 2025-09-01 | Added ConsentStore Artifacts |
 | 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts |
+| 2.20 | 2025-10-03 | Added PuTTY, CCleaner, File Shredder, Splashtop Artifacts |
 
 # Documentation
 

BatchExamples/DFIRBatch.reb

@@ -1,6 +1,6 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.19
+Version: 2.20
 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8
 Keys:
 #
@@ -3347,8 +3347,30 @@ Keys:
         KeyPath: CurrentControlSet\Services\SSUService
         Recursive: true
         Comment: "Displays artifacts relating to Splashtop"
+    -
+        Description: Splashtop
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\Splashtop Inc.
+        Recursive: true
+        Comment: "Displays artifacts relating to Splashtop"
+    -
+        Description: Splashtop
+        HiveType: SOFTWARE
+        Category: Third Party Applications
+        KeyPath: WOW6432Node\Splashtop Inc.
+        Recursive: true
+        Comment: "Displays artifacts relating to Splashtop"
+    -
+        Description: Splashtop
+        HiveType: SOFTWARE
+        Category: Third Party Applications
+        KeyPath: WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater
+        Recursive: true
+        Comment: "Displays artifacts relating to Splashtop"
 
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
+# https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects
 
 # Third Party Applications -> TeamViewer - https://www.teamviewer.com/en-us/
 
@@ -3379,6 +3401,43 @@ Keys:
         Comment: "Displays artifacts relating to TightVNC"
 # https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf
 
+# Third Party Applications -> PuTTY - https://www.chiark.greenend.org.uk/~sgtatham/putty/
+
+    -
+        Description: PuTTY
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\SimonTatham\PuTTY
+        Recursive: true
+        Comment: "Displays artifacts relating to PuTTY"
+
+# https://docs.velociraptor.app/artifact_references/pages/windows.registry.puttyhostkeys/
+
+# Third Party Applications -> CCleaner - https://www.ccleaner.com/
+
+    -
+        Description: CCleaner
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\Piriform\CCleaner
+        Recursive: true
+        Comment: "Displays artifacts relating to CCleaner"
+
+# https://www.synacktiv.com/publications/ccleaner-forensics
+# https://www.magnetforensics.com/resources/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/
+
+# Third Party Applications -> File Shredder - fileshredder.org
+
+    -
+        Description: File Shredder
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\Shredder
+        Recursive: true
+        Comment: "Displays artifacts relating to File Shredder"
+
+# N/A
+
 # Third Party Applications -> FileZilla - https://filezilla-project.org/
 
     -