Ryohei Hosoya
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
    • Invite by email
      Invitee

      This note has no invitees

    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Note Insights
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Versions and GitHub Sync Note Insights Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
  • Invite by email
    Invitee

    This note has no invitees

    • Publish Note

    Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

    Your note will be visible on your profile and discoverable by anyone.
    Your note is now live.
    This note is visible on your profile and discoverable online.
    Everyone on the web can find and read all notes of this public team.
    See published notes
    Unpublish note
    Please check the box to agree to the Community Guidelines.
    View profile
    Engagement control
    Commenting
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Suggest edit
    Permission
    Disabled Forbidden Owners Signed-in users Everyone
    Enable
    Permission
    • Forbidden
    • Owners
    • Signed-in users
    Emoji Reply
    Enable
    Import from Dropbox Google Drive Gist Clipboard
       owned this note    owned this note      
    Published Linked with GitHub
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # KAPE Githubリポジトリ調査(Targets/Apps) **下記、ログ系はすべて取得する** ## Targets/Apps/1Password.tkape ### 解説 1Passwordで利用されるデータや利用ログ ### Artifact Location ``` Targets: - Name: 1Password Database Category: Apps Path: C:\Users\%user%\AppData\Local\1password\data FileMask: '1Password10.sqlite' Comment: "Database which holds information about 1Password installation, such as accounts, categories, settings and more" - Name: 1Password Backup Databases Category: Apps Path: C:\Users\%user%\AppData\Local\1password\backups FileMask: '1Password10.sqlite' Comment: "Backups of 1Password Database" - Name: 1Password Logs Category: Apps Path: C:\Users\%user%\AppData\Local\1password\logs FileMask: '*.log' Comment: "Log of usage of 1Password - can be useful for identifying periods of user activity" ``` ### 調査要否 * ファストフォレンジック対象:(不要) * フルフォレンジック対象:(内容調査) ### 判断理由 1Passwordが利用されている場合にクラッキングの有無を判断できる可能性があるため ### ToDo * reporterに追加 ## Targets/Apps/4KVideoDownloader.tkape ### 解説 4K Video Downloader(youtube等から動画をダウンロードできるソフト)のデータ。ダウンロード履歴を確認できる ### Artifact Location ``` Name: 4K Video Downloader Category: Apps Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader FileMask: "*.sqlite" Comment: "Grabs database(s) that stores user download history" ``` ### 調査要否 * 不要 ### 判断理由 違法ダウンロードの調査は現状対象外? ### ToDo * 不要 ## Targets/Apps/4KVideoDownloader.tkape ### 解説 4K Video Downloader(youtube等から動画をダウンロードできるソフト)のデータ。ダウンロード履歴を確認できる ### Artifact Location ``` Name: 4K Video Downloader Category: Apps Path: C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader FileMask: "*.sqlite" Comment: "Grabs database(s) that stores user download history" ``` ### 調査要否 * 不要 ### 判断理由 違法ダウンロードの調査は現状対象外? ### ToDo * 不要 ## Targets/Apps/AceText.tkape ### 解説 Acetext(テキスト編集の効率化ソフト)におけるクリップボードの履歴を保存したatcファイル ### Artifact Location ``` Name: AceText - Clipboard History Category: Apps Path: C:\Users\%user%\Documents FileMask: '*.atc' Comment: "Locates the Clipboard history for AceText" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 クリップボードの履歴が分かる可能性があるため ### ToDo reporterに追加 ## Targets/Apps/AcronisTrueImage.tkape ### 解説 Acronis True Image(システムクラッシュからPCを保護するバックアップユーティリティ)のデータ。 バックアップの履歴(ログ)、バックアップされたファイルが含まれる。 ### Artifact Location ``` Category: Apps Path: C:\ProgramData\Acronis\TrueImageHome\Logs\ti_demon\ Comment: "Copies out all log files" - Name: Acronis True Image - Database Files Category: Apps Path: C:\ProgramData\Acronis\TrueImageHome\Database FileMask: archives.db* Comment: "Copies out the Database folder which appears to have important information" - Name: Acronis True Image - Scripts Folder Category: Apps Path: C:\ProgramData\Acronis\TrueImageHome\Scripts\ Comment: "Copies out all scripts files" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 削除済みファイルの復元の一助になりうるため ### ToDo reporterに追加 ## Targets/Apps/Ammyy.tkape 追加済み ## Targets/Apps/AnyDesk.tkape 追加済み ## Targets/Apps/AsperaConnect.tkape 追加済み ## Targets/Apps/AteraAgent.tkape ### 解説 AteraAgent(資産管理ソフト)のログ。 Ateraにはリモート管理の機能があり、その機能を用いて端末を不正に操作されることがあるらしい。 https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ ### Artifact Location ``` - Name: AteraAgent .ini files Category: Software Path: C:\Program Files\ATERA Networks\AteraAgent FileMask: '*.ini' Recursive: true Comment: "Collects logs for AteraAgent" - Name: AteraAgent Logs Category: Software Path: C:\Program Files\ATERA Networks\AteraAgent FileMask: '*.txt' Recursive: true Comment: "Collects logs for AteraAgent" - Name: AteraAgent Logs Category: Software Path: C:\Program Files\ATERA Networks\AteraAgent FileMask: '*.db' Recursive: true Comment: "Collects logs for AteraAgent" - Name: AteraAgent Logs Category: Software Path: C:\Program Files\ATERA Networks\AteraAgent FileMask: '*.config' Recursive: true Comment: "Collects logs for AteraAgent" - Name: AteraAgent Logs Category: Software Path: C:\Program Files\ATERA Networks\AteraAgent FileMask: '*.cfg' Recursive: true Comment: "Collects logs for AteraAgent" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 AteraAgentで不正操作された場合の調査ができる可能性があるため ### ToDo reporterに追加 ## Targets/Apps/BoxDrive_Metadata.tkape ### 解説 Boxの設定ファイル ### Artifact Location ``` - Name: Box Drive Application Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Box\Box\ Recursive: true - Name: Box Sync Application Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Box Sync\ Recursive: true ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 Boxの同期設定について調査できるため ### ToDo kape target に追加 ## Targets/Apps/BoxDrive_UserFiles.tkape ### 解説 Boxに同期されているユーザのファイル群 ### Artifact Location ``` - Name: Box Drive User Files Category: Apps Path: C:\Users\%user%\Box\ Recursive: true Comment: "Caution! This target will collect Box Drive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network" - Name: Box Sync User Files Category: Apps Path: C:\Users\%user%\Box Sync\ Recursive: true ``` ### 調査要否 * ファスト(不要) * フル(内容調査) ### 判断理由 boxに同期されたファイルは、onedrive同様(取得サイズの肥大化も見込まれるため)ファストで見る必要はないと考える ### ToDo 不要 ## Targets/Apps/CiscoJabber.tkape 追加済み ## Targets/Apps/ClipboardMaster.tkape ### 解説 ClipboardMasterというクリップボードの効率化ツールで保存されるクリップボードの履歴。文字だけでなく画像も保存している。 ### Artifact Location ``` Name: ClipboardMaster - Clipboard History - Text Category: Apps Path: C:\Users\%user%\AppData\Roaming\Jumping Bytes\ClipboardMaster\ FileMask: 'Clipboard.clm4' Comment: "Locates the user’s clipboard history (text) for ClipboardMaster" - Name: ClipboardMaster - Clipboard History - Images Category: Apps Path: C:\Users\%user%\AppData\Roaming\Jumping Bytes\ClipboardMaster\pics\ Recursive: true Comment: "Locates the user’s clipboard history (images) for ClipboardMaster" - Name: ClipboardMaster - Clipboard History - Backups Category: Apps Path: C:\Users\%user%\AppData\Roaming\Jumping Bytes\ClipboardMaster\ FileMask: 'Clipboard.clm4.ba*' Comment: "Locates the user’s clipboard history (backups) for ClipboardMaster" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 ClipBoardMaster利用時は役に立ちそう ### ToDo reporterに追加 ## Targets/Apps/ConfluenceLogs.tkape 追加済み ## Targets/Apps/DirectoryOpus.tkape ### 解説 Directory Opusというエクスプローラ代替ソフトのキャッシュファイル ### Artifact Location ``` Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\ FileMask: 'rename_folders.osd' Comment: "Locates .osd file which contains names of folders that have been renamed manually by the user." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\ FileMask: 'rename_files.osd' Comment: "Locates .osd file which contains names of files that have been renamed manually by the user." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\ FileMask: 'find_contains.osd' Comment: "Locates .osd file which contains search queries initiated by the user during a search for files with contents related to the search query." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\ FileMask: 'find_name.osd' Comment: "Locates .osd file which contains search queries initiated by the user during a search for files with a filename related to the search query." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\MRU\ FileMask: 'find_path.osd' Comment: "Locates .osd file which contains file paths related to user activity - not exactly sure how these are generated at this time." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\ FileMask: 'recent.osd' Comment: "Locates .osd file which contains file paths related to recent user activity. Effectively the DOpus Shellbags-equivalent. Appears to be for last 10 folder visited within the Lister." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\State Data\ FileMask: 'backupconfig.osd' Comment: "Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Local\GPSoftware\Directory Opus\Thumbnail Cache\ Comment: "Locates .osd file which contains file paths related to the location of the backup settings files for Directory Opus." - Name: Directory Opus Category: Apps Path: C:\Users\%user%\AppData\Roaming\GPSoftware\Directory Opus\Logs\ Comment: "Locates .txt files that will be named with the IP address of the FTP server Directory Opus was used to connect to. All-activity.txt will simply be a combination of all other .txt files present in this directory." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 Directory Opus利用時はファイルの閲覧履歴を取得できる可能性があるため  ### ToDo reporterに追加 ## Targets/Apps/Discord.tkape ### 解説 Discordのキャッシュ、ストレージ ### Artifact Location ``` Name: Discord Cache Files Category: Communications Path: C:\Users\%user%\AppData\Roaming\discord\cache\ Recursive: true Comment: "Gets cached data from Discord app" - Name: Discord Local Storage LevelDB Files Category: Communications Path: C:\Users\%user%\AppData\Roaming\discord\local storage\leveldb\ Recursive: true Comment: "Gets LevelDB database from Discord app" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あっても役に立つか不明 ### ToDo reporterに追加 ## Targets/Apps/DoubleCommander.tkape ### 解説 DoubleCommanderというファイルマネージャのログファイル。攻撃者によって利用されることがあるらしい? ### Artifact Location ``` Name: Double Commander - history.xml Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'history.xml' Comment: "Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from bottom to top." - Name: Double Commander - doublecmd.xml Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'doublecmd.xml' Comment: "Locates an .xml file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom." - Name: Double Commander - FTP Log Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'doublecmd*.log' Comment: "Locates log files that'll be named with the following naming convention: doublecmd_2021-04-03.log." - Name: Double Commander - multiarc.ini Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'multiarc.ini' - Name: Double Commander - session.ini Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'session.ini' - Name: Double Commander - pixmaps.txt Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'pixmaps.txt' - Name: Double Commander - shortcuts.scf Category: Apps Path: C:\Users\%user%\AppData\Roaming\doublecmd\ FileMask: 'shortcuts.scf' ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 攻撃者によるファイル操作が記録される可能性があるため  ### ToDo reporterに追加 ## Targets/Apps/Dropbox_Metadata.tkape ### 解説 DropBoxの設定ファイル ### Artifact Location ``` - Name: Dropbox Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Dropbox\ FileMask: info.json Comment: "Getting individual files because folder may contain very large extraneous files. Info.json contains user's Dropbox folder location" - Name: Dropbox Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Dropbox\ FileMask: host.db Comment: "SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64." - Name: Dropbox Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Dropbox\machine_storage FileMask: tray-thumbnails.db Comment: "SQLite database containing references to image files at one time present in a user’s Dropbox instance." - Name: Dropbox Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Dropbox\ FileMask: host.dbx Comment: "SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together." - Name: Windows Protect Folder Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\ Recursive: true Comment: "Required for offline decryption of Dropbox databases" - Name: Dropbox Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Dropbox\instance*\ Recursive: true Comment: "instance folder holds multiple SQLite databases related to Dropbox activity and contents" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 dropboxを利用している場合、ファイルの閲覧履歴を確認できる可能性があるため ### ToDo kape targetに追加 ## Targets/Apps/Dropbox_UserFiles.tkape ### 解説 DropBoxの同期データ ### Artifact Location ``` Name: Dropbox User Files Category: Apps Path: C:\Users\%user%\Dropbox*\ Recursive: true Comment: "Default storage location for Dropbox Personal and Business (when using wildcard), but can be user-defined. Check info.json file in user Dropbox metadata files to identify default folder." ``` ### 調査要否 * ファスト(不要) * フル(内容調査) ### 判断理由 dropboxに同期されたファイルは、onedrive同様(取得サイズの肥大化も見込まれるため)ファストで見る必要はないと考える ### ToDo 不要 ## Targets/Apps/EFCommander.tkape ### 解説 EFCommanderというWindowsファイルマネージャソフトの設定や履歴情報 https://www.efsoftware.com/cw/e.htm ### Artifact Location ``` Name: EF Commander - .ini File Category: Apps Path: C:\Users\%user%\AppData\Roaming\EFSoftware\ Comment: "Locates folder where all configuration files reside" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 EFCommanderを使っていれば役に立つ可能性あり ### ToDo reporterに追加 ## Targets/Apps/Evernote.tkape ### 解説 Evernoteのアカウント情報やnoteのデータが格納される ### Artifact Location ``` - Name: Evernote Accounts Category: App Path: C:\Users\%user%\AppData\Local\Evernote\Evernote\Databases\ Recursive: true FileMask: ".accounts" Comment: "Holds username and email of accounts" - Name: Evernote Notebooks Category: App Path: C:\Users\%user%\AppData\Local\Evernote\Evernote\Databases\ Recursive: true FileMask: "*.exb" Comment: "SQLite Database of the notes" - Name: Evernote Notebook Snippets Category: App Path: C:\Users\%user%\AppData\Local\Evernote\Evernote\Databases\ Recursive: true FileMask: "*.exb.snippets" Comment: "Note 'Snippets'" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 Evernoteの情報が調査に必要なケースが無いように思える。 ### ToDo 不要 ## Targets/Apps/Everything (VoidTools).tkape ### 解説 Everythingという高速ファイル検索ソフトの検索履歴などのデータ KAPEで同様のtkapeがあるが、取得対象が追加されている ### Artifact Location ``` Name: Everything (VoidTools) Category: FileSystem Path: C:\Users\%user%\AppData\Local\Everything\ FileMask: Everything.db Comment: "Copies out Everything.db" - Name: Everything (VoidTools) - Run History Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Everything\ FileMask: Run History.csv Comment: "Copies out a CSV containing the history of items ran from Everything's search results window" - Name: Everything (VoidTools) - Search History Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Everything\ FileMask: Search History.csv Comment: "Copies out a CSV containing the history of items searched for within Everything with timestamps" - Name: Everything (VoidTools) - .ini file Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Everything\ FileMask: Everything.ini Comment: "Copies out the .ini file for Everything" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 everything利用時には役に立ちそう ### ToDo reporterに追加 ## Targets/Apps/ExchangeClientAccess.tkape 追加済み ## Targets/Apps/ExchangeCve-2021-26855.tkape ### 解説 Cve-2021-26855(ProxyLogon)の脆弱性を突いた攻撃により生成されるWebShellのIOCを検索する ### artifact location ``` - Name: Exchange Server Modified Compiled Files Category: Apps Path: C:\Windows\Microsoft.NET\Framework*\v*\Temporary ASP.NET Files\ Recursive: true FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled' Comment: "Highly dependent on Exchange configuration" - Name: Exchange Server Modified Compiled Files Category: Apps Path: C:\inetpub\wwwroot\aspnet_client Recursive: true FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled' Comment: "Highly dependent on Exchange configuration" - Name: Exchange Server Modified Compiled Files Category: Apps Path: C:\inetpub\wwwroot\aspnet_client\system_web\ Recursive: true FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled' Comment: "Highly dependent on Exchange configuration" - Name: Exchange Server Modified Compiled Files Category: Apps Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ Recursive: true FileMask: 'Regex:*.\b[a-zA-Z0-9_-]{8}\b.compiled' Comment: "Highly dependent on Exchange configuration" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 IOCのため ### ToDo 不要 ## Targets/Apps/ExchangeTransport.tkape 追加済み ## Targets/Apps/Fences.tkape ### 解説 デスクトップのデザインを変えるソフト「Fence」で取得されるデスクトップの定期的なスクリーンショットが保存される ### artifact location ``` Name: Fences - Desktop Screenshots Category: Apps Path: C:\Users\%user%\AppData\Roaming\Stardock\Fences\Backups Comment: "Locates all screenshots taken automatically by the Fences application" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 スクリーンショットはあまり役に立たないと思った ### ToDo 不要 ## Targets/Apps/FileZillaClient.tkape ### 解説 FileZilla(FTPクライアント)のログ ### artifact location ``` Name: FileZilla XML Log Files Category: Logs Path: C:\Users\%user%\AppData\Roaming\FileZilla\ FileMask: '*.xml*' - Name: FileZilla SQLite3 Log Files Category: Logs Path: C:\Users\%user%\AppData\Roaming\FileZilla\ FileMask: '*.sqlite3*' ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 FTPによるファイル操作をチェックできる可能性があるため ### ToDo reporterに追加 ## Targets/Apps/FileZillaServer.tkape ### 解説 FileZilla Server(FTPサーバ)のログ ### artifact location ``` Name: FileZilla Server XML Log Files Category: Logs Path: C:\Users\%user%\AppData\Roaming\FileZilla Server\ FileMask: '*.xml*' - Name: FileZilla Log Files Category: Logs Path: C:\Program Files (x86)\FileZilla Server\Logs\ FileMask: '*.log*' ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 FTPによるファイル操作をチェックできる可能性があるため ### ToDo reporterに追加 ## Targets/Apps/FreeCommander.tkape ### 解説 FreeCommander(エクスプローラ最適化)ソフトに関する各種アーティファクト ### artifact location ``` Name: Free Commander - FreeCommander.ini Category: Apps Path: C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\ FileMask: 'FreeCommander.ini' Comment: "Locates an .ini file that contains Shellbags-equivalent artifacts." - Name: Free Commander - FreeCommander.ftp.ini Category: Apps Path: C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\ FileMask: 'FreeCommander.ftp.ini' Comment: "Locates an .ini file that contains the file path to the FTP log for Free Commander." - Name: Free Commander - FreeCommander.hist.ini Category: Apps Path: C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\ FileMask: 'FreeCommander.hist.ini' Comment: "Locates an .ini file that contains Shellbags-equivalent artifacts that are sorted in temporal order from top to bottom for both left and right directory browsers." - Name: Free Commander - FreeCommander.fav.xml Category: Apps Path: C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\ FileMask: 'FreeCommander.fav.xml' Comment: "Locates an .xml file that contains favorited files/folder by the user." - Name: Free Commander - Backup Settings Category: Apps Path: C:\Users\%user%\AppData\Local\FreeCommanderXE\Settings\Bkp_Settings*\ Recursive: true Comment: "Locates an exact copy of the above files which will have a timestamped folder name, i.e. Bkp_Settings-YYYY-MM-DD HH-MM-SS." - Name: Free Commander - FTP Log Category: Apps Path: C:\Users\%user%\AppData\Local\Temp\ FileMask: 'fc*.log' Comment: "Locates log file(s) that have a default naming convention of fc_ftplog_20210403 but can be modified by the user." - Name: Free Commander - FTP Related Information Category: Apps Path: C:\Users\%user%\AppData\Local\Temp\FreeCommander*\ Recursive: true Comment: "Locates a folder that may be named randomly that contains more FTP related information as well as .tmp files that are created while the user is traversing folders during an active FTP session. These files are deleted upon program exit." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あれば便利だと思われる ### ToDo reporterに追加 ## Targets/Apps/FreeDownloadManager.tkape ### 解説 FreeDownloadManagerという高機能のダウンロードマネージャ(分割ダウンロードできたり、帯域を制限したりできるソフト)のキャッシュ ### artifact locations ``` Name: FDM Database Category: App Path: C:\Users\%user%\AppData\Local\Free Download Manager\ Recursive: true FileMask: "fdm.sqlite" Comment: "fdm.sqlite shows Torrents, downloads, folder history, auth credentials and more. Will also pull fdm.sqlite in db_backup/" - Name: FDM Backup Info Category: App Path: C:\Users\%user%\AppData\Local\Free Download Manager\backup\ FileMask: "backup.info" Comment: "Backup info file - can change backup name from userdata.zip, so could give indication of file name" - Name: FDM Database (userdata.zip) Category: App Path: C:\Users\%user%\AppData\Local\Free Download Manager\backup\ FileMask: "userdata.zip" Comment: "fdm.sqlite can also appear in the backup folder in a compressed userdata.zip file" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 このソフトを使っていた場合、悪性ファイルのダウンロードの痕跡を見つけられる可能性があるため ### ToDo reporterに追加 ## Targets/Apps/FreeFileSync.tkape 追加済み ## Targets/Apps/GoogleDriveBackupSync_UserFiles.tkape ### 解説 GoogleDriveに同期されているユーザファイル ### artifact locations ``` Name: Google Drive Backup and Sync User Files Category: Apps Path: C:\Users\%user%\Google Drive*\ Recursive: true Comment: "Older Google Drive Backup and Sync application only" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 onedrive同様(取得サイズの肥大化も見込まれるため)ファストで見る必要はないと考える ### ToDo 不要 ## Targets/Apps/GoogleDrive_Metadata.tkape ### 解説 GoogleDriveのメタデータ ### artifact locations ``` - Name: Google Drive Backup and Sync Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Google\Drive\ Recursive: true Comment: "Older version of Google Drive" - Name: Google Drive for Desktop Metadata Category: Apps Path: C:\Users\%user%\AppData\Local\Google\DriveFS\ Recursive: true Comment: "Metadata folder the same for both newer Google Drive for Desktop and older Google File Stream application" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 GoogleDrive利用時のファイル同期の状況が確認できる ### ToDo reporterに追加 ## Targets/Apps/GoogleEarth.tkape ### 解説 Google earthで保存された情報 ### artifact location ``` Name: Google Earth My Places file Category: Apps Path: C:\Users\%user%\AppData\LocalLow\Google\GoogleEarth FileMask: 'myplaces.kml' Comment: "File which holds favorited locations" - Name: Google Earth My Places Backup file Category: Apps Path: C:\Users\%user%\AppData\LocalLow\Google\GoogleEarth FileMask: 'myplaces.backup.kml' Comment: "Backup file which holds favorited locations" - Name: Google Earth My Places file (XP) Category: Apps Path: C:\Documents and Settings\%user%\Application Data\Google\GoogleEarth FileMask: 'myplaces.kml' Comment: "File which holds favorited locations" - Name: Google Earth My Places Backup file (XP) Category: Apps Path: C:\Documents and Settings\%user%\Application Data\Google\GoogleEarth FileMask: 'myplaces.backup.kml' Comment: "Backup file which holds favorited locations" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 主にマップのピン止めした情報であり、インシデント調査には向かなそう ### ToDo reporterに追加 ## Targets/Apps/HeidiSQL.tkape ### 解説 HeidiSQLのバックアップファイルなど ### artifact location ``` Name: HeidiSQL Backup files (*.sql) Category: Apps Path: C:\Users\%user%\AppData\Roaming\HeidiSQL\Backups\ - Name: HeidiSQL (tabs.ini) Category: Apps Path: C:\Users\%user%\AppData\Roaming\HeidiSQL\ FileMask: tabs.ini ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 heidi sqlを利用していれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/HexChat.tkape ### 解説 hexchat(IRC Client)のログ ### artifact location ``` Name: HexChat Chat Logs Category: Communications Path: C:\Users\%user%\AppData\Roaming\HexChat\logs\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 IRC経由でのマルウェア感染、内部不正の調査に役立ちそう ### ToDo reporterに追加 ## Targets/Apps/IceChat.tkape ### 解説 icechat(IRC Client)のログ ### artifact location ``` Name: IceChat Chat Logs Category: Communications Path: C:\Users\%user%\AppData\Local\IceChat Networks\IceChat\Logs\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 IRC経由でのマルウェア感染、内部不正の調査に役立ちそう ### ToDo reporterに追加 ## Targets/Apps/IrfanView.tkape ### 解説 IrfanViewという画像ビューワで閲覧された画像の履歴 ### artifact location ``` Name: IrfanView Configuration File Category: FileKnowledge Path: C:\Users\%user%\AppData\Roaming\IrfanView\ FileMask: i_view32.ini ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 画像の閲覧履歴は不要な気がする ### ToDo 不要 ## Targets/Apps/JDownloader2.tkape ### 解説 IrfanViewという画像ビューワで閲覧された画像の履歴 ### artifact location ``` Name: JDownloader 2.0 Download Lists Category: App Path: C:\Users\%user%\AppData\Local\JDownloader 2.0\cfg Recursive: true FileMask: "downloadList*.zip" Comment: "Zip folder which contains several files (00,00_00 and extraInfo) which list the download folder, the time it was created, the name of the download, origin URL, referral URL and more" - Name: JDownloader 2.0 Link Collector Category: App Path: C:\Users\%user%\AppData\Local\JDownloader 2.0\cfg Recursive: true FileMask: "linkcollector*.zip" Comment: "Zip folder which contains several files (0X,0X_00 and extraInfo) which list the websites crawled for links, the referral URLs, timestamps and more" - Name: JDownloader 2.0 General Settings Category: App Path: C:\Users\%user%\AppData\Local\JDownloader 2.0\cfg Recursive: true FileMask: "org.jdownloader.settings.GeneralSettings.json" Comment: "General user config for JDownloader 2.0. Holds default download folder." - Name: JDownloader 2.0 Link Grabber Settings Category: App Path: C:\Users\%user%\AppData\Local\JDownloader 2.0\cfg Recursive: true FileMask: "org.jdownloader.gui.views.linkgrabber.addlinksdialog.LinkgrabberSettings.json" Comment: "Linkgrabber Settings for JDownloader 2.0. Holds latest download destination folder." - Name: JDownloader 2.0 Proxy Settings Category: App Path: C:\Users\%user%\AppData\Local\JDownloader 2.0\cfg Recursive: true FileMask: "org.jdownloader.settings.InternetConnectionSettings.customproxylist.json" Comment: "Proxy configuration for JDownloader 2.0" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 画像の閲覧履歴は不要な気がする ### ToDo 不要 ## Targets/Apps/JavaWebCache.tkape 取得済み ## Targets/Apps/Kaseya.tkape 取得済み ## Targets/Apps/LogMeIn.tkape 取得済み ## Targets/Apps/MacriumReflect.tkape ### 解説 MacriumReflectというバックアップユーティリティのログ ### artifact location ``` Name: Macrium Reflect Category: Apps Path: C:\ProgramData\Macrium\Macrium Service\ Comment: "Copies out all log files" - Name: Macrium Reflect Category: Apps Path: C:\ProgramData\Macrium\Reflect\ Comment: "Copies out the Reflect folder which contains many important logs" - Name: Macrium Reflect Category: Apps Path: C:\ProgramData\Macrium\Reflect Launcher Comment: "Copies out the Reflect folder which contains many important logs" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### ToDo 不要 ## Targets/Apps/Mattermost.tkape 取得済み ## Targets/Apps/MediaMonkey.tkape ### 解説 MediaMonkey(動画・音楽ファイルのプレイヤー)の設定ファイルやメディアのリスト ### artifact location ``` Name: MediaMonkey - Media SQLite Database Category: Apps Path: C:\Users\%user%\AppData\Roaming\MediaMonkey FileMask: 'MM.DB' Comment: "Locates SQLite DB that contains a complete enumeration of the user's media collection within MediaMonkey" - Name: MediaMonkey - MediaMonkey.ini Category: Apps Path: C:\Users\%user%\AppData\Roaming\MediaMonkey FileMask: 'MediaMonkey.ini' Comment: "Locates .ini file which contains information about the user's MediaMonkey application instance" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 プレイヤーの再生履歴は不要だと思った ### ToDo 不要 ## Targets/Apps/MicrosoftOneNote.tkape ### 解説 one note で開いたページの履歴や検索履歴 ### artifact location ``` Name: Microsoft OneNote - FullTextSearchIndex Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex Comment: "Grabs database(s) comprising of each OneNote notebook's text content" - Name: Microsoft OneNote - RecentNotebooks_SeenURLs Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications FileMask: RecentNotebooks_SeenURLs Comment: "Grabs a file that appears to record recently seen OneNote notebooks" - Name: Microsoft OneNote - AccessibilityCheckerIndex Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex Comment: "Grabs database(s) comprising of each OneNote notebook's version sync error history" - Name: Microsoft OneNote - User NoteTags Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags FileMask: "*LiveId.db" Comment: "Grabs a database that stores the user specified tags within OneNote to be used application-wide" - Name: Microsoft OneNote - RecentSearches Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches FileMask: RecentSearches.db Comment: "Grabs a database that stores the user's recent searches within OneNote" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 最近はonenoteのファイルでマルウェア感染する事例もあるため ### ToDo kape targetに追加 ## Targets/Apps/MicrosoftStickyNotes.tkape ### 解説 sticky note (ふせん)のリスト ### artifact location ``` Name: Microsoft Sticky Notes - Windows 7, 8, and 10 version 1511 and earlier Category: Apps Path: C:\Users\%user%\AppData\Roaming\Microsoft\StickyNotes\ FileMask: StickyNotes.snt - Name: Microsoft Sticky Notes - 1607 and later Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\ FileMask: plum.sqlite* ``` ### 調査要否 * ファスト(不要) * フル(内容調査) ### 判断理由 あまり攻撃者が利用するイメージがない ### ToDo 不要 ## Targets/Apps/MicrosoftTeams.tkape ### 解説 teamsに関するartifact。 ### artifact location ``` Name: Microsoft Teams IndexedDB Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\ Recursive: true Comment: "LevelDB database which can contain inbound/outbound chat messages, call history and more" - Name: Microsoft Teams Local Storage Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\Microsoft\Teams\Local Storage\leveldb\ Recursive: true Comment: "LevelDB database which can contain meeting history, file transfer logs and more" - Name: Microsoft Teams Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\Microsoft\Teams\Cache\ Recursive: true Comment: Chromium cache which can be viewed with Nirsoft's ChromeCacheView - Name: Microsoft Teams Config Category: Apps Path: C:\Users\%user%\AppData\Roaming\Microsoft\Teams\ FileMask: "desktop-config.json" Comment: "JSON config file for Teams" - Name: Microsoft Teams Logs (Windows 11) Category: Apps Path: C:\Users\%User%\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs Comment: "Lots of log files for MS Teams" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あまり攻撃者が利用するイメージがないが、teamsメッセージでマルウェアが送られたときの証跡になる。 ### ToDo reporterに追加 ## Targets/Apps/MicrosoftToDo.tkape ### 解説 Microsoft ToDo のデータ ### artifact location ``` Name: Microsoft To Do - SQLite Database of To Do tasks Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\ FileMask: todosqlite.db* - Name: Microsoft To Do - User Avatar Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\4c444a17ebb042fb92df97d00d1c802a\avatars\ FileMask: UserAvatar.jpg ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 ToDoの内容はインシデント調査では不要だと思った ### ToDo 不要 ## Targets/Apps/MidnightCommander.tkape ### 解説 MidnightCommander(ファイルマネージャ)の設定ファイル ### artifact location ``` Name: Midnight Commander -- All Configuation Files Category: Apps Path: C:\Users\%user%\Midnight Commander\ Comment: "Locates folder where all configuration files reside" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 ログとかではないため ### ToDo 不要 ## Targets/Apps/MultiCommander.tkape ### 解説 MultiCommander(ファイルマネージャ)のログファイル ### artifact location ``` Name: Multi Commander - Application Folder Category: Apps Path: C:\Users\%user%\AppData\Local\MultiCommander*\ Recursive: true Comment: "Locates the contents of the Application folder." - Name: Multi Commander - Config Folder Category: Apps Path: C:\Users\%user%\AppData\Roaming\MultiCommander*\Config\ Recursive: true Comment: "Locates the contents of the Config folder." - Name: Multi Commander - Log Folder Category: Apps Path: C:\Users\%user%\AppData\Roaming\MultiCommander*\Logs\ Recursive: true Comment: "Locates log file(s) related to user activity within Multi Commander." - Name: Multi Commander - UserData Folder Category: Apps Path: C:\Users\%user%\AppData\Roaming\MultiCommander*\UserData\ Recursive: true Comment: "Locates the contents of the UserData folder." - Name: Multi Commander - Log File Category: Apps Path: C:\Users\%user%\AppData\Roaming\MultiCommander*\ Recursive: true FileMask: '*MultiCommander.log' Comment: "Locates log file(s) associated with Milti Commander. Commonly in YYYY-MM-DD (numbers)-MultiCommander.log naming convention." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 利用してる場合は役立ちそう ### ToDo reporterに追加 ## Targets/Apps/Nessus.tkape ### 解説 nessusのログファイル ### artifact location ``` Name: Nessus Logs Category: Nessus Path: C:\ProgramData\Tenable\Nessus\conf Recursive: true Comment: "" - Name: Nessus Logs Category: Nessus Logs Path: C:\ProgramData\Tenable\Nessus\nessus\logs\ Recursive: true Comment: "" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 攻撃者が使っている場合は有用かも?(攻撃者がわざわざインストールするのか分からないが) ### ToDo reporterに追加 ## Targets/Apps/Notepad++.tkape ### 解説 notepad++のキャッシュ 既存KAPEで取得していたが、targetファイルの対象が増えている。 ### artifact location ``` Name: Notepad++ Unsaved Edits Category: Text Editor Path: C:\Users\%user%\AppData\Roaming\Notepad++\backup\ Recursive: true Comment: "Locates non-saved Notepad++ files and copies them." - Name: Notepad++ Config Category: Text Editor Path: C:\Users\%user%\AppData\Roaming\Notepad++\ FileMask: "config.xml" Comment: "Retrieves config.xml which contains recently searched terms, replaced terms and recently opened documents" - Name: Notepad++ Session Category: Text Editor Path: C:\Users\%user%\AppData\Roaming\Notepad++\ FileMask: "session.xml" Comment: "Retrieves session.xml which contains session date" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 利用者が使っていれば、開いた悪性スクリプトの内容を確認できるかも ### ToDo reporterに追加 ## Targets/Apps/OneCommander.tkape ### 解説 one commander(ファイルマネージャ)のconfig ### artifact location ``` Name: One Commander - All Configuration Files Category: Apps Path: C:\Users\%user%\OneCommander\ Comment: "Locates folder where all configuration files reside" - Name: One Commander - Other Configuration Files Category: Apps Path: C:\Users\%user%\AppData\Local\Apps\2.0\*\*\onec*\ Recursive: true Comment: "Locates folder where all configuration files reside" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 ログではなく設定ファイルだけなので必要ないと思った ### ToDo 不要 ## Targets/Apps/OneDrive_Metadata.tkape ### 解説 onedriveのメタデータ(ログ、設定ファイル) ### artifact location ``` Name: OneDrive Metadata Logs Category: Apps Path: C:\Users\%user%\AppData\Local\Microsoft\OneDrive\logs\ Recursive: true - Name: OneDrive Metadata Settings Category: Apps Path: C:\Users\%user%\AppData\Local\Microsoft\OneDrive\settings\ Recursive: true ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 windowsであればonedriveユーザは多く、メタデータのみであれば役立ちそう ### ToDo kape targetに追加 ## Targets/Apps/OneDrive_UserFiles.tkape ### 解説 onedriveの同期データ ### artifact location ``` Name: OneDrive User Files Category: Apps Path: C:\Users\%user%\OneDrive*\ Recursive: true Comment: "Caution -- This target will collect OneDrive contents from the local drive AND on-demand cloud files. Ensure your scope of authority permits cloud collections before use or isolate system from network." ``` ### 調査要否 * ファスト(不要) * フル(内容調査) ### 判断理由 ユーザプロファイルのデータの中身全ては必要ない ### ToDo 不要 ## Targets/Apps/OpenSSHClient.tkape ### 解説 OpenSSH Clientの設定ファイル、公開鍵など (.sshディレクトリの中身) ### artifact location ``` - Name: OpenSSH Config File Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'config' Comment: "Config file can hold usernames, IP addresses and ports, key locations and configured shortcuts for servers e.g. ssh web-server" - Name: OpenSSH Known Hosts Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'known_hosts' Comment: "Known hosts file can hold a list of connected FQDNs/IP Addresses and ports if they are non-default, as well as public key fingerprints" - Name: OpenSSH Public Keys Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: '*.pub' Comment: "Gets all public keys (*.pub). It is more difficult to find private keys as they typically do not have a file extension. However, the .pub files should be able to help find the private keys as they are typically named the same." - Name: OpenSSH Default RSA Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_rsa' Comment: "Default name for an auto-generated SSH RSA private key" - Name: OpenSSH Default ECDSA Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_ecdsa' Comment: "Default name for an auto-generated SSH ECDSA private key" - Name: OpenSSH Default ECDSA-SK Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_ecdsa_sk' Comment: "Default name for an auto-generated SSH ECDSA private key using a Security Key" - Name: OpenSSH Default ED25519 Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_ed25519' Comment: "Default name for an auto-generated SSH ED25519 private key" - Name: OpenSSH Default ED25519-SK Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_ed25519_sk' Comment: "Default name for an auto-generated SSH ED25519 private key using a Security Key" - Name: OpenSSH Default DSA Private Key Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'id_dsa' Comment: "Default name for an auto-generated SSH DSA private key" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 sshクライアントソフトを使っていれば生成されるものなので、汎用性が高い、sshでの横展開がある場合に役に立つ ### ToDo kape targetに追加 ## Targets/Apps/OpenSSHServer.tkape ### 解説 OpenSSH Serverの設定ファイル、公開鍵、ログなど ### artifact location ``` Name: OpenSSH Server Config File Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'sshd_config' Comment: "Config file can hold information on allowed/denied users" - Name: OpenSSH Server Logs Category: Apps Path: C:\ProgramData\ssh\logs\ FileMask: '*' Comment: "OpenSSH server logs" - Name: OpenSSH Host ECDSA Key Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'ssh_host_ecdsa_key' Comment: "Retrieves the host ECDSA key" - Name: OpenSSH Host ED25519 Key Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'ssh_host_ed25519_key' Comment: "Retrieves the host ED25519 key" - Name: OpenSSH Host DSA Key Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'ssh_host_dsa_key' Comment: "Retrieves the host DSA key" - Name: OpenSSH Host RSA Key Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'ssh_host_rsa_key' Comment: "Retrieves the host RSA key" - Name: OpenSSH User Authorized Keys Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'authorized_keys' Comment: "Retrieves the user's authorised public keys" - Name: OpenSSH User Authorized Keys 2 Category: Apps Path: C:\Users\%user%\.ssh\ FileMask: 'authorized_keys2' Comment: "Retrieves the user's authorised public keys from the second file" - Name: OpenSSH Authorized Administrator Keys Category: Apps Path: C:\ProgramData\ssh\ FileMask: 'administrators_authorized_keys' Comment: "Retrieves the administrator group's authorised public keys" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 sshサーバが侵害された場合のログが取れる ### ToDo kape targetに追加 ## Targets/Apps/OpenVPNClient.tkape ### 解説 OpenVPN Clientの設定ファイル、公開鍵、ログなど ### artifact location ``` Name: OpenVPN Client Config Category: ApplicationLogs Path: C:\Users\%user%\OpenVPN\config\ Recursive: true Comment: "Contains OpenVPN Configs (Profiles)" - Name: OpenVPN Client Config Category: ApplicationLogs Path: C:\Program Files*\OpenVPN\config Recursive: true Comment: "Contains OpenVPN Configs(Profiles)" - Name: OpenVPN Client Config Category: ApplicationLogs Path: C:\Users\%user%\OpenVPN\log\ FileMask: '*.log' Comment: "Contains OpenVPN Logs for each Config(Profile)" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 VPN利用時のログが取得できる可能性 ### ToDo reporterに追加 ## Targets/Apps/OutlookPSTOST.tkape ### 解説 outlookのostファイル、pstファイル もともと取得されていたが、一部のバージョンのファイルパスや、添付ファイルのキャッシュも追加されている ### artifact location ``` Name: PST XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Microsoft\Outlook\ FileMask: '*.pst' - Name: OST XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Microsoft\Outlook\ FileMask: '*.ost' - Name: PST (2013 or 2016) Category: Communications Path: C:\Users\%user%\Documents\Outlook Files\ FileMask: '*.pst' - Name: OST (2013 or 2016) Category: Communications Path: C:\Users\%user%\Documents\Outlook Files\ FileMask: '*.ost' - Name: PST Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Outlook\ FileMask: '*.pst' Comment: "Outlook Data File: POP accounts, archives, older installations" - Name: OST Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Outlook\ FileMask: '*.ost' Comment: "Offline Outlook Data File: M365, Exchange, IMAP" - Name: NST Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Outlook\ FileMask: '*.nst' Comment: "Outlook Group Storage File: Group conversations and calendar" - Name: Outlook Attachment Temporary Storage Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ Recursive: true Comment: "Outlook temporary storage folder for user attachments" ``` ### 調査要否 * ファスト(内容調査)←でかいファイルなのでわざわざ取得するかどうか迷う。。。 * フル(内容調査) ### 判断理由 メール経由での侵害に対応できる ### ToDo kape targetに追加(ただしでかいのでまよう) ## Targets/Apps/PeaZip.tkape ### 解説 peazipというファイルアーカイバのconfig ### artifact location ``` Name: PeaZip Configuration Files Category: FileKnowledge Path: C:\Users\%user%\AppData\Roaming\PeaZip\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あれば圧縮ファイルのhistoryを確認できる可能性がある ### ToDo reporterに追加 ## Targets/Apps/ProtonVPN.tkape ### 解説 protonVPNの通信ログ ### artifact location ``` Name: ProtonVPN - Connection Logs Category: ApplicationLogs Path: C:\Users\%user%\AppData\Local\ProtonVPN\Logs Comment: "Locates ProtonVPN connection logs." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あればvpnの通信履歴を確認できる ### ToDo reporterに追加 ## Targets/Apps/Q-Dir.tkape ### 解説 Q-dir(エクスプローラ代替ソフト)でのフォルダ閲覧履歴など ### artifact location ``` Name: Q-Dir - .ini File Category: Apps Path: C:\Users\%user%\AppData\Roaming\Q-Dir\ FileMask: 'Q-Dir.ini' Comment: "Locates .ini file associated with Q-Dir which stores useful user activity information." - Name: Q-Dir - .qdr file Category: Apps Path: C:\Users\%user%\AppData\Roaming\Q-Dir\ FileMask: 'start.qdr' Comment: "Locates .qdr file associated with Q-Dir which stores useful user activity information, including the last 4 folders opened (encoded, unfortunately)." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あればファイル閲覧履歴を確認できる ### ToDo reporterに追加 ## Targets/Apps/QFinderPro (QNAP).tkape ### 解説 QNAPのQFinderPRo(QNAP製NASの検索・管理を行うソフト)で出力された、QNAP製品のリスト ### artifact location ``` Name: QFinderPro Category: Apps Path: C:\Users\%user%\AppData\Local\QNAP\QfinderPro Comment: "Locates a JSON file that provides network location information for any QNAP connected devices." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あればNASの有無を確認できそう ### ToDo reporterに追加 ## Targets/Apps/QFinderPro (QNAP).tkape ### 解説 QNAPのQFinderPRo(QNAP製NASの検索・管理を行うソフト)で出力された、QNAP製品のリスト ### artifact location ``` Name: QFinderPro Category: Apps Path: C:\Users\%user%\AppData\Local\QNAP\QfinderPro Comment: "Locates a JSON file that provides network location information for any QNAP connected devices." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あればNASの有無を確認できそう ### ToDo reporterに追加 ## Targets/Apps/Radmin.tkape 追加済み ## Targets/Apps/RemoteUtilities_app.tkape ### 解説 RemoteUtilitiesというリモートデスクトップソフトのログ ### artifact location ``` Name: RemoteUtilities Connection Logs Category: Remote Access Path: C:\Program Files*\Remote Utilities - Host\Logs FileMask: "rut_log_*.html" Comment: "Includes connection log files" - Name: RemoteUtilities Install Log Category: Remote Access Path: C:\ProgramData\Remote Utilities FileMask: "install.log" Comment: "Includes Install log file" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 あればリモートデスクトップでの操作履歴を取得できる ### ToDo reporterに追加 ## Targets/Apps/ScreenConnect.tkape 追加済み ## Targets/Apps/ShareX.tkape ### 解説 ShareX(画面キャプチャ、スクリーンショットを行うソフト)のキャプチャ一覧 ### artifact location ``` Name: ShareX Category: Apps Path: C:\Users\%user%\Documents\ShareX Recursive: true Comment: "Locates and captures all files within the default ShareX folder path" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 画面キャプチャの情報はあまり重要ではないと思った ### ToDo 不要 ## Targets/Apps/SiemensTIA.tkape ### 解説 SiemensTIAと呼ばれる制御システム設計のエンジニアリングフレームワークの設定ファイル https://new.siemens.com/jp/ja/products/automation/industry-software/automation-software/tia-portal.html ### artifact location ``` Name: Siemens TIA Settings Category: ICS Path: C:\Users\%user%\AppData\Roaming\Siemens\Automation\Portal*\Settings\ Recursive: true ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 インシデント調査では不要と考えた ### ToDo 不要 ## Targets/Apps/Signal.tkape ### 解説 Signal(チャットツール)の各種ファイル ### artifact location ``` Name: Signal Attachments cache Category: Communications Path: C:\Users\%user%\AppData\Roaming\Signal\attachments.noindex\ Recursive: true Comment: Profile pictures (and possibly attachments) for users who this individual has as contacts or has communicated with - Name: Signal Logs Category: Communications Path: C:\Users\%user%\AppData\Roaming\Signal\logs\ Recursive: true Comment: Logs for Signal. Most recent has the extension .log while old ones will have extension .log.0, .log.1 etc. - Name: Signal config.json Category: Communications Path: C:\Users\%user%\AppData\Roaming\Signal\ FileMask: "config.json" Comment: config.json holds the db.sqlite SQLCipher raw key - Name: Signal Database Category: Communications Path: C:\Users\%user%\AppData\Roaming\Signal\sql\ FileMask: "db.sqlite" Comment: Stores attachment details, conversations, messages, and more ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 利用していた場合のチャット履歴を確認できる可能性 ### ToDo reporterに追加 ## Targets/Apps/Skype.tkape ### 解説 skypeのデータ 元々取得していたが、取得対象が増えている ### artifact location ``` Name: main.db (App <v12) Category: Communications Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\ FileMask: main.db - Name: skype.db (App +v12) Category: Communications Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\*\ FileMask: skype.db - Name: main.db XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Skype\*\ FileMask: main.db - Name: main.db Win7+ Category: Communications Path: C:\Users\%user%\AppData\Roaming\Skype\*\ FileMask: main.db - Name: s4l-[username].db (App +v8) Category: Communications Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.SkypeApp_*\LocalState\ FileMask: s4l-*.db - Name: leveldb (Skype for Desktop +v8) Category: Communications Path: C:\Users\%user%\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\ Recursive: true - Name: Skype for Destkop v8+ Chromium Cache Category: Communications Path: C:\Users\%user%\AppData\Roaming\Microsoft\Skype for Desktop\Cache\ Recursive: true Comment: Can be viewed with Nirsoft's ChromeCacheView ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 利用していた場合に履歴が確認できる(あまり使われてないと思うが。。。) ### ToDo reporterに追加 ## Targets/Apps/Slack.tkape ### 解説 slackのログ、キャッシュ 元々取得していたが、取得対象が増えている ### artifact location ``` Name: Slack - Chat Logs Category: Apps Path: C:\Users\%user%\AppData\Roaming\Slack\IndexedDB\ Recursive: true Comment: "Locates Slack logs and copies them" - Name: Slack LevelDB Files Category: Apps Path: C:\Users\%user%\AppData\Roaming\Slack\Local Storage\leveldb Recursive: true - Name: Slack Electron Logs Category: Apps Path: C:\Users\%user%\AppData\Roaming\Slack\logs\ Recursive: true Comment: "Current Slack application is based on Electron and additional logging can be found here." - Name: Slack Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\Slack\Cache Recursive: true Comment: "Collects Slack cache files. This folder can be parsed like a Chrome Browser cache using a tool like Nirsoft ChromeCacheView" - Name: Slack Storage Category: Apps Path: C:\Users\%user%\AppData\Roaming\Slack\storage\ Recursive: true Comment: "User activity logs can be present including slack-downloads log" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 利用していた場合に履歴が確認できる ### ToDo reporterに追加 ## Targets/Apps/Snagit.tkape ### 解説 snagitという画面キャプチャソフトのキャプチャ一覧 ### artifact location ``` Name: Snagit - Captures Category: Apps Path: C:\Users\%user%\AppData\Local\TechSmith\Snagit\DataStore Comment: "Locates all Snagit captures" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 画面キャプチャは不要 ### ToDo 不要 ## Targets/Apps/SpeedCommander.tkape ### 解説 SpeedCommander(ファイルマネージャ)の設定ファイル ### artifact location ``` Name: SpeedCommander - .ini File Category: Apps Path: C:\Users\%user%\AppData\Roaming\SpeedProject\SpeedCommander 19\ Comment: "Locates folder where all configuration files reside" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 あれば役立つかも ### ToDo reporterに追加 ## Targets/Apps/Splashtop.tkape ### 解説 Splashtop(リモートデスクトップソフト)のログ ### artifact location ``` Name: Splashtop Log Files Category: Software Path: C:\Program Files*\Splashtop\Splashtop Remote\Server\log Recursive: true Comment: "Collects logs for Splashtop" - Name: Splashtop Log Files in ProgramData Category: Software Path: C:\ProgramData\Splashtop\Temp\log Recursive: true Comment: "Collects logs for Splashtop" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 あればリモートログオンの調査が可能 ### ToDo reporterに追加 ## Targets/Apps/SublimeText.tkape ### 解説 sublime textの自動保存されたファイル ### artifact location ``` Name: SublimeText 2/3 Auto Save Session Category: Text Editor Path: C:\Users\%user%\AppData\Roaming\Sublime Text*\Settings FileMask: Session.sublime_session Comment: "Sublime Text 2/3 stores unsaved (temporary) files and its content in its Session.sublime_session file" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 インシデント調査では役に立たなそう ### ToDo 不要 ## Targets/Apps/SugarSync.tkape ### 解説 SugarSyncというオンラインストレージサービスのログや共有フォルダ ### artifact location ``` Name: SugarSync Log File Category: Apps Path: C:\Users\%user%\AppData\Local\SugarSync\ FileMask: 'sc1.log' Comment: "Locates a log file the gives a play-by-play of what the user synced when." - Name: SugarSync - Shared Folders (Default Location) Category: Apps Path: C:\Users\%user%\Documents\SugarSync Shared Folders\ Recursive: true - Name: SugarSync - My SugarSync (Default Location) Category: Apps Path: C:\Users\%user%\Documents\My SugarSync\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 使っていれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/SumatraPDF.tkape ### 解説 sumatra pdfの履歴、pngスナップショット ### artifact location ``` Name: SumatraPDF Settings - SessionData Category: FileKnowledge Path: C:\Users\%user%\AppData\Local\SumatraPDF FileMask: SumatraPDF-settings.txt Recursive: false Comment: Settings file which contains information about previous user session - Name: SumatraPDF Cache Category: FileKnowledge Path: C:\Users\%user%\AppData\Local\SumatraPDF\sumatrapdfcache Recursive: false Comment: Folder contains a PNG snapshot of each PDF file the user had open at the time of last application close ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 使っていれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/SupremoRemoteDesktop.tkape ### 解説 SupremoRemoteDesktopというリモートデスクトップソフトのログ ### artifact location ``` Name: Supremo Connection Logs Category: Communications Path: C:\ProgramData\SupremoRemoteDesktop\Log FileMask: '*.log' Comment: "Includes Supremo.00.Client.log and Supremo.00.Incoming.log" - Name: Supremo File Transfer Inbox Category: Communications Path: C:\ProgramData\SupremoRemoteDesktop\Inbox Comment: "Includes all files transferred to the inbox folder during a remote session" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 使っていれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/TablacusExplorer.tkape ### 解説 TablacusExplorerというエクスプローラにタブを付けたようなタブファイラーのログファイル ### artifact location ``` Name: Tablacus Explorer - remember.xml Category: Logs Path: C:\Users\%user%\AppData\Local\Temp\*\config FileMask: 'remember.xml' Recursive: true - Name: Tablacus Explorer - window.xml Category: Logs Path: C:\Users\%user%\AppData\Local\Temp\*\config FileMask: 'window.xml' Recursive: true - Name: Tablacus Explorer - window1.xml Category: Logs Path: C:\Users\%user%\AppData\Local\Temp\*\config FileMask: 'window1.xml' Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 使っていれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/TeamViewerLogs.tkape 取得済み。target追加で良し。 ## Targets/Apps/Telegram.tkape ### 解説 telegramのwindowsソフトの添付ファイル等 ### artifact location ``` Name: Telegram app folder Category: Apps Path: C:\Users\%user%\AppData\Roaming\Telegram Desktop\ Recursive: true Comment: "Telegram app folder structure" - Name: Telegram downloaded files Category: Apps Path: C:\Users\%user%\Downloads\Telegram Desktop\ Recursive: true Comment: "Chat Attachments" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 あまりtelegramをデスクトップソフトで使っているイメージはないが、あれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/TeraCopy.tkape ### 解説 teracopyというファイルコピーソフトのファイル ### artifact location ``` Name: TeraCopy Category: TeraCopy Path: C:\Users\%user%\AppData\Roaming\TeraCopy\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 あれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/Thunderbird.tkape ### 解説 Thunderbirdの各種ファイル ### artifact location ``` Name: Mozilla Thunderbird Install Date Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Crash Reports\ FileMask: 'InstallTime*' Comment: "Holds install time in Unix Seconds timestamp" - Name: Mozilla Thunderbird Profiles.ini Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\ FileMask: 'profiles.ini' Comment: "Profiles list - can hold references to other profiles held elsewhere on the device" - Name: Mozilla Thunderbird prefs.js Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ FileMask: "prefs.js" Comment: "User Preferences for that profile" - Name: Mozilla Thunderbird Global Messages Database Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ FileMask: "global-messages-db.sqlite" Comment: "Holds list of contacts, emails, and other potentially useful artifacts" - Name: Mozilla Thunderbird logins.json Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ FileMask: "logins.json" Comment: "Holds last time online login used, last time password changed, hostname, HTTP(s) URL and more" - Name: Mozilla Thunderbird places.sqlite Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ FileMask: "places.sqlite" Comment: "Holds history for Thunderbird - as it contains portions of Firefox embedded, it can be used to visit websites too" - Name: Mozilla Thunderbird ImapMail INBOX Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ImapMail\ FileMask: "INBOX" Recursive: true Comment: "Holds all email files with headers, content etc" - Name: Mozilla Thunderbird Mail INBOX Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\Mail\ FileMask: "INBOX" Recursive: true Comment: "Holds all email files with headers, content etc" - Name: Mozilla Thunderbird Calendar Data Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\calendar-data\ FileMask: "local.sqlite" Comment: "Holds local calendar data" - Name: Mozilla Thunderbird Attachments Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\Attachments\ Comment: "Holds attachments" - Name: Mozilla Thunderbird Address Book Category: Apps Path: C:\Users\%user%\AppData\Roaming\Thunderbird\Profiles\*\ FileMask: "abook.sqlite" Comment: "Holds local address book" ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 もしthunderbirdを使っていればメールの調査に役立つ ### ToDo reporterに追加 ## Targets/Apps/TotalCommander.tkape ### 解説 teracopyというファイルコピーソフトのファイル ### artifact location ``` Name: Total Commander - .ini File Category: Apps Path: C:\Users\%user%\AppData\Roaming\GHISLER\ FileMask: 'wincmd.ini' Comment: "Locates .ini file associated with Total Commander which stores useful user activity information." - Name: Total Commander - Log File Category: Apps Path: C:\ Recursive: true FileMask: 'totalcmd.log' Comment: "Locates log file associated with Total Commander. NOTE: this log file is NOT enabled by default and the filename can be modified." - Name: Total Commander - Temp Files Created During Folder Traversal Category: Apps Path: C:\Users\%user%\AppData\Local\Temp\ FileMask: 'FTP*.tmp' Comment: "Locates .tmp files which are created during the user's folder traversal and provide insight into contents of each folder traversed." - Name: Total Commander - FTP .ini File Category: Apps Path: C:\Users\%user%\AppData\Roaming\GHISLER\ FileMask: 'wcx_ftp.ini' Comment: "Locates .ini file associated with Total Commander which stores useful FTP information." - Name: Total Commander - File Tree Category: Apps Path: C:\Users\%user%\AppData\Local\GHISLER\ FileMask: 'treeinfo*.wc' Comment: "Locates a file that contains an exhaustive file tree of a user's file system." - Name: Total Commander - FTP Logs Category: Apps Path: C:\Users\%user%\AppData\Local\Temp\ FileMask: 'tcftp.log' Comment: "Locates a file that contains the Total Commander FTP logs." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 あれば役立ちそう ### ToDo reporterに追加 ## Targets/Apps/TreeSize.tkape ### 解説 TreeSize(ファイルのリストを様々な形式で確認できるツール)でスキャンしたディレクトリの履歴を出力する ### artifact location ``` Name: TreeSize - ScanHistory.XML Category: Apps Path: C:\Users\%user%\AppData\Roaming\JAM Software\TreeSize FileMask: 'scanhistory.xml' Comment: "Locates XML file that provides a list of previously scanned directories by the user." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 攻撃者が使っていれば役に立ちそう ### ToDo reporterに追加 ## Targets/Apps/Ultraviewer.tkape ### 解説 UltraViewerというリモートアクセスツールのログ ### artifact location ``` Name: UltraViewer Logs Category: Remote Access Path: C:\Users\%user%\AppData\Roaming\UltraViewer Recursive: true Comment: "Includes all files related to UltraViewer chat, connections, and recordings" - Name: UltraViewer Logs Category: Remote Access Path: C:\Program Files*\UltraViewer\UltraViewerService_log.txt Comment: "UltraViewer Service log file" - Name: UltraViewer Logs Category: Remote Access Path: C:\Program Files*\UltraViewer\ConnectionLog.Log Comment: "UltraViewer Service level connection log" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 リモートアクセスツールの悪用調査に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Apps/VLC Media Player.tkape ### 解説 VLC media playerというメディア再生ソフトの設定ファイル、キャッシュ ### artifact location ``` Name: VLC Recently Opened Files Category: Apps Path: C:\Users\%user%\AppData\Roaming\vlc\ FileMask: "vlc-qt-interface.ini" Comment: "Configuration file for VLC. Holds [RecentsMRL] key which lists recently opened files as well as sometimes retaining timestamps for file opening" - Name: VLC Recorded Files Category: Apps Path: C:\Users\%user%\Videos\ FileMask: "vlc-*.avi" Comment: "Recorded files in VLC. Sometimes the Record button may be pressed instead of Play by suspects, which can record them watching content with VLC" ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 メディア再生はあまり役に立たなそう ### ToDo 不要 ## Targets/Apps/VMwareInventory.tkape ### 解説 VMware workstationでホストしているVMのファイルパスを記録する設定ファイルが含まれる ### artifact location ``` Name: VMware - Virtual Machine Inventory Category: Apps Path: C:\Users\%user%\AppData\Roaming\VMware Comment: "Locates an inventory of all Virtual Machines on disk." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 VMへの侵害や、悪性VMの調査に役立ちそう ### ToDo reporterに追加 ## Targets/Apps/VMwareMemory.tkape ### 解説 VMware workstationでホストしているVMのメモリ ### artifact location ``` Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmem' Recursive: true Comment: "Captures all raw memory from VMware virtual machines." - Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmss' Recursive: true Comment: "Captures all memory images from VMware virtual machines." - Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmsn' Recursive: true Comment: "Captures all memory images from VMware virtual machines." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 VMへの侵害や、悪性VMの調査に役立ちそう。targetで取得するとサイズが肥大化する ### ToDo reporterに追加 ## Targets/Apps/VMwareMemory.tkape ### 解説 VMware workstationでホストしているVMのメモリ ### artifact location ``` Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmem' Recursive: true Comment: "Captures all raw memory from VMware virtual machines." - Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmss' Recursive: true Comment: "Captures all memory images from VMware virtual machines." - Name: VMware (Fusion/Workstation/Server/Player) Category: Memory Path: C:\ FileMask: '*.vmsn' Recursive: true Comment: "Captures all memory images from VMware virtual machines." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(不要) ### 判断理由 VMへの侵害や、悪性VMの調査に役立ちそう。targetで取得するとサイズが肥大化する ### ToDo reporterに追加 ## Targets/Apps/VNCLogs.tkape ### 解説 VNC関連のログ ### artifact location ``` Name: RealVNC Log Category: ApplicationLogs Path: C:\Users\%user%\AppData\Local\RealVNC\ FileMask: vncserver.log Comment: "https://www.realvnc.com/en/connect/docs/logging.html#logging" - Name: RealVNC Application Logs Category: EventLogs Path: ApplicationEvents.tkape Comment: "Contains RealVNC entries, event source: VNC Server" ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 VNCでの侵害調査の場合に役立つ ### ToDo kape targetに追加 →と思ったら、すでに追加してあった ## Targets/Apps/Viber.tkape ### 解説 viberという通話、メッセージアプリの設定ファイル、キャッシュ ### artifact location ``` Name: Viber Config Database Category: Apps Path: C:\Users\%user%\AppData\Roaming\ViberPC\ FileMask: "config.db" Comment: "Configuration file for Viber" - Name: Viber Users Data Database Category: Apps Path: C:\Users\%user%\AppData\Roaming\ViberPC\*\ FileMask: "viber.db" Comment: "Viber data for that user, containing Calls, Chat Messages, Contacts and more" - Name: Viber Users Avatars Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\ViberPC\*\Avatars Comment: "Cache of the Avatars for other Viber users" - Name: Viber Users Backgrounds Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\ViberPC\*\Backgrounds Comment: "Store of the backgrounds" - Name: Viber Users Thumbnails Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\ViberPC\*\Thumbnails Comment: "Cache of the thumbnails for uploaded/downloaded images" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つケースがあるかも ### ToDo reporterに追加 ## Targets/Apps/VirtualBoxConfig.tkape ### 解説 Virtualboxの設定ファイル ### artifact location ``` Name: VirtualBox VM configs Category: Apps Path: C:\ Recursive: true FileMask: "*.vbox" Comment: "Locates all .vbox VM configuration files on disk" - Name: VirtualBox VM backup configs Category: Apps Path: C:\ Recursive: true FileMask: "*.vbox-prev" Comment: "Locates all backup .vbox VM configuration files on disk" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 Virtualboxで動作しているVMの情報を取得できる ### ToDo reporterに追加 ## Targets/Apps/VirtualBoxLogs.tkape ### 解説 Virtualboxのログ ### artifact location ``` Name: VirtualBox Logs Category: Apps Path: C:\ Recursive: true FileMask: "VBox.log" Comment: "Locates all VBox.log files on disk" - Name: VirtualBox Backup Logs Category: Apps Path: C:\ Recursive: true FileMask: "VBox.log.*" Comment: "Locates all backup VBox.log files on disk - these can show historic VM usage" - Name: VirtualBox Hardening Logs Category: Apps Path: C:\ Recursive: true FileMask: "VBoxHardening.log" Comment: "Locates all VBoxHardening.log files on disk" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 Virtualboxで動作しているVMの操作履歴を確認できる ### ToDo reporterに追加 ## Targets/Apps/VirtualBoxMemory.tkape ### 解説 Virtualboxのメモリ ### artifact location ``` Name: VirtualBox Category: Memory Path: C:\ FileMask: '*.sav' Recursive: true Comment: "Captures all partial memory images from VirtualBox." ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 Virtualboxで動作しているVMのメモリの所在を確認できる ### ToDo reporterに追加 ## Targets/Apps/WhatsApp.tkape ### 解説 WhatsApp(通話、メッセージアプリ)のキャッシュ ### artifact location ``` Name: WhatsApp Cache Category: Apps Path: C:\Users\%user%\AppData\Roaming\WhatsApp\Cache Comment: "Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" - Name: WhatsApp Local Storage Category: Apps Path: C:\Users\%user%\AppData\Roaming\WhatsApp\Local Storage\leveldb Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つ可能性 ### ToDo reporterに追加 ## Targets/Apps/WinSCP.tkape ### 解説 winscpのconfigファイル ### artifact location ``` Name: WinSCP (.ini file) Category: Logs Path: C:\ FileMask: 'WinSCP.ini' Recursive: true ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つ可能性 ### ToDo reporterに追加 ## Targets/Apps/WindowsYourPhone.tkape ### 解説 YourPhone(WindowsのスマホとPCの同期アプリ)のキャッシュ。スマホのリスト等 ### artifact location ``` Name: Windows Your Phone - All Databases Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Indexed Recursive: true Comment: "Locates all Your Phone database files" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つ可能性 ### ToDo reporterに追加 ## Targets/Apps/XYplorer.tkape ### 解説 XYplorer(エクスプローラ代替ソフト)のログやキャッシュ ### artifact location ``` Name: XYplorer - .ini file Category: Apps Path: C:\Users\%user%\AppData\Roaming\XYplorer\ FileMask: 'XYplorer.ini' Comment: "Locates .ini file associated with Total Commander which stores useful user activity information." - Name: XYplorer - .ini file for each respective pane Category: Apps Path: C:\Users\%user%\AppData\Roaming\XYplorer\Panes\*\ Recursive: true FileMask: 'pane.ini' Comment: "Locates the .ini file for the left and right pane." - Name: XYplorer - AutoBackup folder Category: Apps Path: C:\Users\%user%\AppData\Roaming\XYplorer\AutoBackup Recursive: true Comment: "Locates the AutoBackup folder and copies its contents." - Name: XYplorer - .dat files Category: Apps Path: C:\Users\%user%\AppData\Roaming\XYplorer Recursive: true FileMask: '*.dat' Comment: "Locates the .dat files in the XYplorer's AppData folder, all of which are updated upon program's exit." ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つ可能性 ### ToDo reporterに追加 ## Targets/Apps/Zoom.tkape ### 解説 Zoomのログ ### artifact location ``` Name: Zoom client logs Category: Apps Path: C:\Users\%user%\AppData\Roaming\Zoom\logs Recursive: true FileMask: "*" Comment: "Zoom client artifacts" - Name: Zoom client logs (Windows XP) Category: Apps Path: C:\Documents and Settings\%user%\Application Data\Zoom\ Recursive: true FileMask: "*" Comment: "Zoom client artifacts (Windows XP)" - Name: Zoom client recordings Category: Apps Path: C:\Users\%user%\Documents\Zoom\ Recursive: true FileMask: "*" Comment: "Zoom recording artifacts" - Name: Zoom plugin (Outlook) Category: Apps Path: C:\Users\%user%\AppData\Roaming\Zoom Plugin FileMask: "*.json" Comment: "Zoom plugin artifacts" ``` ### 調査要否 * ファスト(存在チェック) * フル(内容調査) ### 判断理由 使っていれば役に立つ可能性 ### ToDo reporterに追加 ## Targets/Apps/iTunesBackup.tkape ### 解説 iTunesのバックアップフォルダ ### artifact location ``` Name: iTunes Backup Folder Category: Communications Path: C:\Users\%user%\AppData\Roaming\Apple\Mobilesync\Backup\ Recursive: true - Name: iTunes Backup Folder Category: Communications Path: C:\Users\%user%\AppData\Roaming\Apple Computer\Mobilesync\Backup\ Recursive: true - Name: iTunes Backup Folder - iOS13 Category: Communications Path: C:\Users\%user%\Apple\Mobilesync\Backup\ Recursive: true ``` ### 調査要否 * ファスト(不要) * フル(不要) ### 判断理由 iTunesの情報は調査の役に立たなそう ### ToDo reporterに追加 ## Targets/Apps/mIRC.tkape ### 解説 mIRC(IRCクライアント)のログ ### artifact location ``` Name: mIRC Chat Logs (Vista+) Category: Communications Path: C:\Users\%user%\AppData\Roaming\mIRC\logs\ Recursive: true - Name: mIRC Chat Logs (2000/XP) Category: Communications Path: C:\Documents and Settings\%user%\Application Data\mIRC\logs\ Recursive: true ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 IRCの履歴が取得できそう ### ToDo reporterに追加 ## Targets/Apps/RemoteNG.tkape ### 解説 mRemoteNG(リモートアクセスソフト)のログ ### artifact location ``` Name: mRemoteNG Logs Category: Communications Path: C:\Users\%user%\AppData\Roaming\mRemoteNG\ FileMask: mRemoteNG.log Comment: Contains log entries for remote connections - Name: mRemoteNG Connection Configuration and Backups Category: Communications Path: C:\Users\%user%\AppData\Roaming\mRemoteNG\ FileMask: confCons.xml* Comment: Contains connection config, often with obfuscated credentials - Name: mRemoteNG Program Settings Category: Communications Path: C:\Users\%user%\AppData\*\mRemoteNG\ Recursive: true FileMask: user.config Comment: Contains user-specific program settings ``` ### 調査要否 * ファスト(内容調査) * フル(内容調査) ### 判断理由 リモート接続に関するログ ### ToDo kape targetに追加 ## Targets/Apps/pCloudDatabase.tkape ### 解説 pCloud(CloudStorage)のファイル ### artifact location ``` Name: pCloud Database Category: Apps Path: C:\Users\%user%\AppData\Local\pCloud\ FileMask: '*.db' Recursive: false Comment: "Database contains all files sync'd with pCloud account." - Name: pCloud Database WAL File Category: Apps Path: C:\Users\%user%\AppData\Local\pCloud\ FileMask: '*.db-wal' Recursive: false Comment: "Write-Ahead Log for pCloud database file." - Name: pCloud Database Shared Memory File Category: Apps Path: C:\Users\%user%\AppData\Local\pCloud\ FileMask: '*.db-shm' Recursive: false Comment: "Shared Memory for the pCloud database file." ``` ### 調査要否 * ファスト(存在チェックのみ) * フル(内容調査) ### 判断理由 使用していれば役に立ちそう ### ToDo reporterに追加

    Import from clipboard

    Paste your markdown or webpage here...

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lose their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template has been removed or transferred.
    Upgrade
    All
    • All
    • Team
    No template.

    Create a template

    Upgrade

    Delete template

    Do you really want to delete this template?
    Turn this template into a regular note and keep its content, versions, and comments.

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
    Wallet ( )
    Connect another wallet

    New to HackMD? Sign up

    Help

    • English
    • 中文
    • Français
    • Deutsch
    • 日本語
    • Español
    • Català
    • Ελληνικά
    • Português
    • italiano
    • Türkçe
    • Русский
    • Nederlands
    • hrvatski jezik
    • język polski
    • Українська
    • हिन्दी
    • svenska
    • Esperanto
    • dansk

    Documents

    Help & Tutorial

    How to use Book mode

    Slide Example

    API Docs

    Edit in VSCode

    Install browser extension

    Contacts

    Feedback

    Discord

    Send us email

    Resources

    Releases

    Pricing

    Blog

    Policy

    Terms

    Privacy

    Cheatsheet

    Syntax Example Reference
    # Header Header 基本排版
    - Unordered List
    • Unordered List
    1. Ordered List
    1. Ordered List
    - [ ] Todo List
    • Todo List
    > Blockquote
    Blockquote
    **Bold font** Bold font
    *Italics font* Italics font
    ~~Strikethrough~~ Strikethrough
    19^th^ 19th
    H~2~O H2O
    ++Inserted text++ Inserted text
    ==Marked text== Marked text
    [link text](https:// "title") Link
    ![image alt](https:// "title") Image
    `Code` Code 在筆記中貼入程式碼
    ```javascript
    var i = 0;
    ```    		 
    var i = 0;
    :smile: :smile: Emoji list
    {%youtube youtube_id %} Externals
    $L^aT_eX$ LaTeX
    :::info
    This is a alert area.
    :::

    This is a alert area.
    Versions and GitHub Sync
    Get Full History Access

    • Edit version name
    • Delete

    revision author avatar     named on  

    More Less

    Note content is identical to the latest version.
    Compare
      Choose a version
      No search result
      Version not found
    Sign in to link this note to GitHub
    Learn more
    This note is not linked with GitHub
     

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub
        • Please sign in to GitHub and install the HackMD app on your GitHub repo.
        • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
        Learn more  Sign in to GitHub

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions
        Include title and tags
        Available push count

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch
        Available push count

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully