Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “ShowJumpView”The “ShowJumpView” is a registry subkey of “FeatureUsage”…9h ago9h ago
Shlomi Boutnaru, Ph.D.The Windows Concept Journey — “Jump List”A “Jump List” is a list of system-provided menus which is shown when the user performs a right-click on an application in the…1d ago1d ago
Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “AppSwitched”The “AppSwitched” is a registry subkey of “AppSwitched”…2d ago2d ago
Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “AppLaunch”The “AppLaunch” is a registry subkey of “FeatureUsage”…2d ago2d ago
Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “RecentApps”RecentApps is a feature relevant since Windows 10 which logs execution of GUI programs. It is saved per local/domain user in the following…3d ago3d ago
Shlomi Boutnaru, Ph.D.The Windows Forensic Journey — “FeatureUsage”In general, “FeatureUsage” is a registry key which is stored as part of the user’s profile. This means that the information is stored for…3d ago3d ago
Shlomi Boutnaru, Ph.D.The Windows Concept Journey — Roaming User ProfileThe goal of a “Roaming User Profile” is to provide users their personal data/settings on every Windows system (or even virtual desktop)…4d ago4d ago
Shlomi Boutnaru, Ph.D.The Windows Process Journey — “certutil.exe” (Digital Certificate Utility)“certutil.exe” (Digital Certificate Utility) is a binary PE file located at “%windir%\system32\certutil.exe”. On 64-bit versions of…5d ago5d ago
Shlomi Boutnaru, Ph.D.The Windows Process Journey — “cofire.exe” (Corrupted File Recovery Client)“cofire.exe” (Corrupted File Recovery Client) is a PE binary located in “%windir%\System32\cofire.exe”. On 64-bit versions of Windows…6d ago6d ago