cafae is a Windows registry parser that targets specific registry keys that help identify user activity as it pertains to files and program execution. Chosen are a handful of registry entries that are specific to an account's registry hive(s). This includes both a user's ntuser.dat hive and the usrclass.dat hive for Vista and later. Collectively, these two registry hives contain artifacts useful in piecing together some sort of file/program activity that occurred on a specific account. The newer versions of cafae extended the report generation to the software, system, security and amcache hives.
- DFIR Tools
- TZWorks Computer Account Forensic Artifact Extractor (cafae)
TZWorks Computer Account Forensic Artifact Extractor (cafae)
Forensic Utilities - Windows