6.1.4. Trace cleaning

6.1.4.1. Logs

  • View logs eventvwr

  • Fake log eventcreate

  • Operation log

    • 3389 login list

    • file open log

    • file modification log

    • browser log

    • system events

    • Program installation record

    • Program delete records

    • Program update record

  • login log

    • System Security Log

  • log path

    • system log %SystemRoot%\System32\Winevt\Logs\System.evtx

    • security log %SystemRoot%\System32\Winevt\Logs\Security.evtx

    • application log %SystemRoot%\System32\Winevt\Logs\Application.evtx

  • service log

    • IIS %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\

6.1.4.2. Registry

  • AppCompatFlags

  • Background Activity Moderator (BAM)

  • MuiCache

  • RecentApps

  • RunMRU

  • ShimCache (AppCompatCache)

6.1.4.2.1. Registry Key

  • HKEY_LOCAL_MACHINEsystemCurrentControlSetServicesEventlog

6.1.4.3. File

6.1.4.3.1. Prefetch

The pre-reading folder is used to store the pre-reading information of the files that the system has accessed. The extension is PF. The location is C:\Windows\Prefetch

6.1.4.3.2. JumpLists

Record the documents and applications recently used by the user, so that the user can quickly jump to the specified file. The location is %APPDATA%\Microsoft\Windows\Recent

6.1.4.3.3. Amcache / RecentFileCache.bcf

These two files are used in Windows to track application compatibility issues with different executables, and it can be used to determine when the executable was first run and when it was last modified.

In Windows 7, Windows Server 2008 R2 and other systems, the file is saved in C:\Windows\AppCompat\Programs\RecentFileCache.bcf ,including the creation time of the program, the last modification time, the last access time and the file name.

In Windows 8, Windows 10, Windows Server 2012 and other systems, the file is saved in C:\Windows\AppCompat\Programs\Amcache.hve , including file size, version, sha1, binary file type and other information.

6.1.4.4. Timeline

Windows Timeline is a new feature introduced by Windows 10 in version 1803, which records visited websites, edited documents, running programs, etc.

6.1.4.5. Complete deletion

  • Overwrite the file multiple times cipher /w:<path>

  • Format a disk count times format D: /P:<count>