Windows Blind Files Collection

through exploitation of windows system environment , it is important to know list of system files that could be useful for your task .

in any operation , you have to get the full knowledge about what should i look for first , should i start reading this one , or go into the second one . actually it is good to memorize all of these collection whether it is Windows or Linux .

in case for automation process , give 0xsp mongoose windows version a try , which will do it perfectly

https://github.com/lawrenceamer/0xsp-Mongoose

https://github.com/lawrenceamer/0xsp-Mongoose/wiki/Mongoose-Windows-Agent-Guide

File

Description / Importance

%SYSTEMDRIVE%\boot.ini

A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.

%WINDIR%\win.ini

readable by all users of a system.

%SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM

Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.

%SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\RegBack\system

This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.

%SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM

These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.

%WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software %WINDIR%\repair\security

System registry hives. https://en.wikipedia.org/wiki/Windows_Registry

%SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\System32\config\RegBack\SAM

Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.

%SYSTEMROOT%\repair\SYSTEM %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\SYSTEM

This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.

%SYSTEMDRIVE%\autoexec.bat

autoexec.bat is a startup script that executes at startup. As Webopedia states, “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.”

%SYSTEMDRIVE%\pagefile.sys

This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size.

%SystemDrive%\inetpub\logs\LogFiles

IIS 7.x web server log file location.

%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat

Internet Explorer web browser history file (http://support.microsoft.com/kb/322916)

%USERPROFILE%\ntuser.dat

User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx)

%WINDIR%\System32\drivers\etc\hosts

System hosts file for local translation of host names to IP addresses.

%WINDIR%\debug\NetSetup.log

Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx

%WINDIR%\iis[version].log where [version] = 6, 7, or 8

Internet Information Service (IIS web server) log files.

%WINDIR%\system32\CCM\logs\*.log

Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx)

%WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt

Windows Event Logs.

%WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav

Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries)

%WINDIR%\system32\logfiles\httperr\httperr1.log

IIS 6.x web server error logs.

%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log where YYMMDD = year month day

Web server log files.

unattend.txt, unattend.xml, unattended.xml, sysprep.inf

Used in the automated deployment of Windows images and can contain user accounts. Sometimes found in the %WINDIR%\Panther\ directory.