FeatureUsage

FeatureUsage

Hot
907

Artifacts

Path/s
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
Operating System
Windows
Artifact Category
  • Applications
  • Registry
  • User
So what does it track and where are forensic artifacts located? It tracks events associated with Task Bar, for example, when a user runs an application pinned to it.
AppBadgeUpdated. This subkey keeps track of badge updates for applications on Task Bar. For example, if you use Telegram and get a new message, you can see a red icon on application's badge with number of new messages. So here we can find application's path and the number of badge updates:

AppLaunch. This subkey logs launches of applications, which are pinned to Task Bar. Of course, not every user pins applications, but if he or she does, you'll have a good amount of digital evidence:

AppSwitched. This subkey logs left clicks on Task Bar applications when a user wants to switch from one to another. This subkey is most interesting from a forensic perspective as it may contain a great number of records, which may be the source of evidence of execution:

ShowJumpView. This subkey tracks right clicks on Task Bar applications. A user may do it, for example, to check or open recent files. This may be an additional artifact pointing to most frequently used applications:

TrayButtonClicked. This subkey tracks left clicks on the following Task Bar items: Clock button, Start button, Notification Center button and Search box. As in previous examples, you can see the number of clicks on each item:

https://www.group-ib.com/blog/featureusage 

User comments

There are no user comments for this listing.
Already have an account? or Create an account