From 389ead51f44ab4f2cbf3c2bddd08b23e86fd9afa Mon Sep 17 00:00:00 2001 From: ogmini <112595633+ogmini@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:10:37 -0400 Subject: [PATCH 1/3] Update DFIRBatch.reb with Windows Notepad Add Third Party Application section for Windows Notepad --- BatchExamples/DFIRBatch.md | 2 ++ BatchExamples/DFIRBatch.reb | 26 ++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md index d9532f0..a49f392 100644 --- a/BatchExamples/DFIRBatch.md +++ b/BatchExamples/DFIRBatch.md @@ -8,6 +8,7 @@ Special thanks to those who have contributed to this Batch file: * [Tony Knutson](https://twitter.com/bigt252002) * Chris Kudless * [Reece394](https://github.com/reece394) +* [ogmini](https://github.com/ogmini) # Version History @@ -58,6 +59,7 @@ Example entry, please follow this format: | 2.09 | 2024-12-19 | Added Angry IP Scanner Artifacts | | 2.10 | 2025-01-18 | Added System ProductType and ProductSuite Artifacts | | 2.11 | 2025-03-31 | Added Threat Hunt for WinLogon Shell and Userinit values | +| 2.12 | 2025-06-18 | Added Windows Notepad Artifacts | # Documentation diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 8e9b9ec..f0ad92d 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -3048,6 +3048,32 @@ Keys: Recursive: true Comment: "Displays artifacts relating to Angry IP Scanner" +# Third Party Applications -> Windows Notepad + + - + Description: Windows Notepad + HiveType: OTHER + Category: Third Party Application + KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 + Recursive: true + Comment: "MRU from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + - + Description: Windows Notepad + HiveType: OTHER + Category: Third Party Application + KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths + Recursive: true + Comment: "TypedPaths from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + - + Description: Windows Notepad + HiveType: OTHER + Category: Third Party Application + KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 + Recursive: true + Comment: "MountPoints2 from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + +# https://ogmini.github.io/2025/06/12/Windows-Notepad-Revisiting-Application-Hive.html / https://ogmini.github.io/research#windows-notepad + # -------------------- # CLOUD STORAGE # -------------------- From d9028441f77f2962bf7f130d124ee9be91e949f7 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:19:28 -0400 Subject: [PATCH 2/3] Update DFIRBatch.reb - remove trailing whitespace --- BatchExamples/DFIRBatch.reb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index f0ad92d..93f00d6 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -3048,7 +3048,7 @@ Keys: Recursive: true Comment: "Displays artifacts relating to Angry IP Scanner" -# Third Party Applications -> Windows Notepad +# Third Party Applications -> Windows Notepad - Description: Windows Notepad From 8b489b82535d71e59d2f87779f6d042797410797 Mon Sep 17 00:00:00 2001 From: Andrew Rathbun <36825567+AndrewRathbun@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:22:19 -0400 Subject: [PATCH 3/3] Update DFIRBatch.reb - update to 2.12, fix comments, fixes for linter --- BatchExamples/DFIRBatch.reb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb index 93f00d6..ee1c032 100644 --- a/BatchExamples/DFIRBatch.reb +++ b/BatchExamples/DFIRBatch.reb @@ -1,7 +1,7 @@ Description: DFIR RECmd Batch File Author: Andrew Rathbun, esecrpm -Version: 2.11 -Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8 +Version: 2.12 +Id: 6e68cc0b-c945-428b-a‘b91-c02d91c877b8 Keys: # # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md @@ -3056,23 +3056,24 @@ Keys: Category: Third Party Application KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32 Recursive: true - Comment: "MRU from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + Comment: "MRU from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat” - Description: Windows Notepad HiveType: OTHER Category: Third Party Application KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths Recursive: true - Comment: "TypedPaths from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + Comment: "TypedPaths from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat” - Description: Windows Notepad HiveType: OTHER Category: Third Party Application KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Recursive: true - Comment: "MountPoints2 from %localappdata%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat" + Comment: "MountPoints2 from .\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium\User.dat” -# https://ogmini.github.io/2025/06/12/Windows-Notepad-Revisiting-Application-Hive.html / https://ogmini.github.io/research#windows-notepad +# https://ogmini.github.io/2025/06/12/Windows-Notepad-Revisiting-Application-Hive.html +# https://ogmini.github.io/research#windows-notepad # -------------------- # CLOUD STORAGE