User Activity and Knowledge

While previous chapters focused on the evidence left by programs and the file system, this chapter shifts the focus to the user themselves. The artifacts discussed here provide a window into the direct actions, intentions, and knowledge of the person operating the system. They help answer crucial questions beyond simple execution: What did the user do? Where did they look? What did they download? What commands did they type?

Understanding these artifacts is essential for building a complete narrative of an incident. It allows an analyst to move from identifying a suspicious file to demonstrating the user's intent and active involvement in deploying it. We will explore the digital breadcrumbs left behind by everyday interactions with the operating system, from navigating folders to browsing the web and using the command line.

This chapter will cover:

• Shellbags: Registry keys that meticulously track a user's folder navigation history, proving they had "knowledge of" and accessed specific directories, even if those directories are now empty or deleted.

• PowerShell Command History: A plain-text log of every command typed interactively into the PowerShell console, offering an unfiltered look at manual system administration and potential anti-forensic activities.

• Temporary Files: The contents of the %temp% folder, which can reveal recently extracted archives or specific library files, like JnativeHook, that are hallmarks of certain applications.

By analyzing these artifacts, an investigation can uncover the context surrounding a malicious file, trace its origin back to a download, and reveal the explicit commands used to execute or conceal it. They are the key to transforming a collection of technical data points into a coherent story of user action.