Forensics Add-on Options

Forensic Add-on Options requires a Forensics add-on license and a Cortex XDR Agent 7.4 or later for Windows.
The following table lists and defines the main Forensics add-on options.
Option
Definition
Searches
Results of forensic searches run by a user or as part of a Search Collection.
Search Collections
Collections of forensic searches saved under a single name, which can be added to the Agent Settings profile.
Host Timelines
A normalized table of forensic artifacts from a host, in which each row represents a single timestamp.
Process Execution
A normalized table of forensic artifacts from a host, in which each row represents a single timestamp.
Process Execution Artifacts
Tables containing forensic artifact types related to historical process execution.
Process Execution Artifact Types
Process Execution Artifact types are listed below.
Amcache
A registry hive used by the Application Compatibility Infrastructure to cache the details of executed or installed programs.
Application Resource Usage
A table in the System Resource Usage database that stores statistics pertaining to resource usage by running applications.
Background Activity Monitor
Per-user registry keys created by Background Activity Monitor (BAM) service to store the full paths of executable files and a timestamp, indicating when they were last executed.
CidSizeMRU
A registry key containing a list of recently launched applications.
LastVisitedPidMRU
A registry key containing a list of the applications and folder paths associated with recently opened files found in the user’s OpenSavePidMRU key.
Prefetch
A type of file created to optimize application startup in Windows. These files contains a run count for each application, between one and eight timestamps of the most recent executions, and a record of all of the files opened for a set duration after the application was started.
Recentfilecache
A cache created by the Application Compatibility Infrastructure to store the details of executed or installed programs (Windows 7 only).
Shimcache
A registry key used by the Application Compatibility Infrastructure to cache details about local executables.
UserAssist
A registry value that records a count for each application that a user launches via the Windows UI.
Windows Activities
A database containing user activity for a particular Microsoft user account, potentially across multiple devices. This is also called the Windows Timeline.
File Access
Normalized table containing indicators of historical file access.
File Access Artifacts
Tables containing forensic artifact types related to historical file access.
File Access Artifact Types
The File Access Artifact types are listed below.
Recent Files
Contents of the shortcut (.lnk) files found in a user's Recent folder. These files represent files recently accessed for a user account.
Jumplist
A feature of the Windows Task bar that provides shortcuts to users for recently accessed files or applications.
OpenSavePidlMRU
A registry key containing a list of recently opened and saved files for a user’s account.
ShellBags
Registry keys that record user layout preferences for each folder with which the user interacts.
WordWheelQuery
Registry key containing a list of terms that a user searched for in Windows Explorer.
Persistence
Tables containing indicators of software persistence. The Host Insights add-on is required for these tables.
Persistence Types
The Persistence types are provided below..
Autoruns
To be provided.
Drivers
To be provided.
Services
To be provided.
Command History
Normalized table containing indicators of historical command execution.
Command History Artifacts
Tables containing forensic artifact types related to historical command execution.
Command History Artifact Types
The Command History Artifact types are listed below.
PSReadline
A record of commands typed into a Powershell terminal by user. History file is only enabled by default starting with Powershell 5 on Windows 10 or newer.
Network
Normalized table containing indicators of historical network activity.
Network Artifacts
Tables containing forensic artifact types related to historical network activity.
Network Artifact Types
The Network Artifact types are listed below.
ARP Cache
A cache of Address Resolution Protocol (ARP) records for resolved MAC and IP addresses.
DNS Cache
A cache of Domain Name System (DNS) records for resolved domains and IP addresses.
Hosts File
Full listing of entries from the etc/hosts file.
Network Connectivity Usage
A table in the System Resource Usage database that stores statistics pertaining to network connections, containing the start time and duration of the connections for each network interface.
Network Data Usage
A table in the System Resource Usage database that stores statistics pertaining to network data usage for running applications. Includes application path, network interface, bytes sent, and bytes received.
Remote Access
Normalized table containing indicators of historical usage of remote access software.
Remote Access Artifacts
Tables containing forensic artifact types related to historical usage of different remote access software.
Remote Access Artifact Types
The Remove Access Artifact types are listed below.
LogMeIn
Records of activity found in the LogMeIn event logs.
TeamViewer
Records of incoming TeamViewer connections found in the Connections_incoming.txt file.
User Access Logging
To be provided.
Triage
Tables containing the output of forensic triage as well as the ability to create custom configurations for triage collections.
Triage Types
The Triage types are listed below.
All
To be provided.
File
To be provided.
Registry
To be provided.
Event Logs
Full listing of the events found in the Windows event log (*.evtx) files.
Browser History
Browser history from Chrome, Edge, Firefox, and Internet Explorer.
Net Sessions
List of active network sessions on this host at the time of the triage collection.
Port Listing
List of open ports at the time of the triage collection.
Process Listing
List of running processes at the time of the triage collection.
Handles
List of open handles at the time of the triage collection.
Configuration
To be provided.

Recommended For You