From e4b74a7127964ad7ba9aed179e46bdd6256b3b67 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Mon, 18 Mar 2024 10:20:57 +0000 Subject: [PATCH 1/5] Create Windows_Notepad.tkape --- Targets/Apps/Windows_Notepad.tkape | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Targets/Apps/Windows_Notepad.tkape diff --git a/Targets/Apps/Windows_Notepad.tkape b/Targets/Apps/Windows_Notepad.tkape new file mode 100644 index 000000000..ad6bfd0d5 --- /dev/null +++ b/Targets/Apps/Windows_Notepad.tkape @@ -0,0 +1,15 @@ +Description: Microsoft Windows 11 Notepad history +Author: Vito Alfano +Version: 1.0 +Id: 531d8631-b3ac-4bc2-b2e6-5f31442efb94 +RecreateDirectories: true +Targets: + - + Name: Notepad Tab State Folder + Category: App + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\ + FileMask: "*.bin" + Comment: "Collecting Windows 11 Notepad tabs history files" + +# Documentation +# https://twitter.com/nas_bench/status/1725658060104913019 From 570487e0bd3a61300f52bb943a27638ec7fbaf73 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:24:29 +0000 Subject: [PATCH 2/5] Create RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Targets/Windows/RDPJumplist.tkape diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape new file mode 100644 index 000000000..e18fb9522 --- /dev/null +++ b/Targets/Windows/RDPJumplist.tkape @@ -0,0 +1,13 @@ +Description: RDP Jumplist Files +Author: Vito Alfano +Version: 1.0 +Id: da62b852-7af2-4882-ac83-ff3e142da2ef +RecreateDirectories: true +Targets: + - + Name: RDP Jumplist Files + Category: FileSystem + Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ + +# Documentation +# https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From 07ac986c6bcfe6da769ac180c75abb36e06fc30f Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:35:19 +0000 Subject: [PATCH 3/5] Update RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape index e18fb9522..48a2e7560 100644 --- a/Targets/Windows/RDPJumplist.tkape +++ b/Targets/Windows/RDPJumplist.tkape @@ -8,6 +8,6 @@ Targets: Name: RDP Jumplist Files Category: FileSystem Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ - + # Documentation # https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From 9492fc0a6f311dab671409d62248f7bbdc20c002 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:38:03 +0000 Subject: [PATCH 4/5] Update RDPJumplist.tkape --- Targets/Windows/RDPJumplist.tkape | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Targets/Windows/RDPJumplist.tkape b/Targets/Windows/RDPJumplist.tkape index 48a2e7560..d811de9fc 100644 --- a/Targets/Windows/RDPJumplist.tkape +++ b/Targets/Windows/RDPJumplist.tkape @@ -8,6 +8,7 @@ Targets: Name: RDP Jumplist Files Category: FileSystem Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.RemoteDesktop_8wekyb3d8bbwe\ - + Recursive: true + # Documentation # https://www.zerofox.com/blog/remote-desktop-application-vs-mstsc-forensics-the-rdp-artifacts-you-might-be-missing/ From b7bea3bc6e3dd15248390c9c759aa7976b852b91 Mon Sep 17 00:00:00 2001 From: V <45754825+vxsh4d0w@users.noreply.github.com> Date: Mon, 20 May 2024 13:40:36 +0000 Subject: [PATCH 5/5] Delete Targets/Apps/Windows_Notepad.tkape --- Targets/Apps/Windows_Notepad.tkape | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 Targets/Apps/Windows_Notepad.tkape diff --git a/Targets/Apps/Windows_Notepad.tkape b/Targets/Apps/Windows_Notepad.tkape deleted file mode 100644 index ad6bfd0d5..000000000 --- a/Targets/Apps/Windows_Notepad.tkape +++ /dev/null @@ -1,15 +0,0 @@ -Description: Microsoft Windows 11 Notepad history -Author: Vito Alfano -Version: 1.0 -Id: 531d8631-b3ac-4bc2-b2e6-5f31442efb94 -RecreateDirectories: true -Targets: - - - Name: Notepad Tab State Folder - Category: App - Path: C:\Users\%user%\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\ - FileMask: "*.bin" - Comment: "Collecting Windows 11 Notepad tabs history files" - -# Documentation -# https://twitter.com/nas_bench/status/1725658060104913019