Support Portal

Question

What is used to populate System Information in FTK?

Answer

System Information pulls the following data from their associated locations:

Main Registry Files Used:
- %USERPROFILE%\NTUSER.DAT (aka HKCU)
- %WINDIR%\system32\config\Software (aka HKLM\Software)

Browser Credentials:
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\Web Data
- %APPDATA%\Mozilla\Firefox\Profiles

Browser Download History:
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
- %LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.dat
- %APPDATA%\Mozilla\Firefox\Profiles
- %APPDATA%\Microsoft\Windows\IEDownloadHistory
- %APPDATA%\Opera Software\Opera Stable\History
- %APPDATA%\Apple Computer\Safari\Downloads.plist

Browser URL History:
- %LOCALAPPDATA%\Google\Chrome\User Data\Default\History
- %LOCALAPPDATA%\Microsoft\Windows\History\History.IE5
- %LOCALAPPDATA%\Microsoft\Windows\History\Low\History.IE5
- %LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.dat
- %USER%\Local Settings\History\History.IE5
- %APPDATA%\Mozilla\Firefox\Profiles
- %APPDATA%\Opera\Opera\global_history.dat
- %APPDATA%\Opera Software\Opera Stable\History
- %APPDATA%\Apple Computer\Safari\History.plist

Installed Applications:
- HKLM\Software: Microsoft\Windows\CurrentVersion\Uninstall\*

Network Connections (including wifi):
- HKLM\Software: Microsoft\Windows NT\CurrentVersion\NetworkList\*

Owner Information:
- HKLM\Software: Microsoft\Windows NT\CurrentVersion

Prefetch:
- %WINDIR%\Prefetch\*.pf

Recent Jump Lists:
- %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\

Recent Shortcuts:
- %APPDATA%\Microsoft\Windows\Recent\*.lnk
- %USERPROFILE%\Recent\*.lnk

Recent Documents:
- HKCU\Software\Microsoft\Office
- HKCU\Software\Adobe

- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Recent Network Shares:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

SAM Users:
- %WINDIR%\system32\config\System
- %WINDIR%\system32\config\SAM

Shell Bags (network, folder, and other locations visited):
- HKCU\Software\Microsoft\Windows\Shell\BagMRU
- HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
- HKCU\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

USB Devices:
- HKLM and SYSTEM and HKCU: Enum\USBSTOR, Enum\USB, MountedDevices

UserAssist:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*

Wireless Profiles:
- C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces

Overview

FTK can parse System Information from Windows images using the "Generate System Information" processing option.