{"version":1,"pages":[{"id":"dbOq6JhBZr0BSGg9dbSl","title":"Welcome","pathname":"/windows-forensics","siteSpaceId":"sitesp_cmklc","emoji":"1f44b","description":""},{"id":"EeYmRclkGROYVDD41cne","title":"Registry Artifacts","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts","siteSpaceId":"sitesp_cmklc","emoji":"1f5c4","breadcrumbs":[{"label":"Artifacts by Type"}]},{"id":"gwo59DgV7Somcsrsk2zI","title":"Amcache.hve","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/amcache","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"fHwJ9GkDRGNNEmGa41KX","title":"Background Activity Montitor","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"zcbbXBNUVvNKaN4asiKn","title":"Image File Execution Options Registry Keys","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"HQn5dzH9xvzs0M8KEBN4","title":"System Resource Usage Monitor (SRUM)","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/srum-db","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"xarfuhdzb9VTP13KF3Rs","title":"Run/RunOnce Registry Keys","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"cmtWw7XsjBLtrl8M2mrv","title":"Tracing Registry Keys","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"3jYe4fRsjhPdJ4lRWrTQ","title":"Services Registry Keys","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/registry-services","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"zAQPqfWqxIv1h0dGTyMt","title":"Select Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/select","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"53iW9GgmVeeClZRGKEPt","title":"CurrentVersion Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/current-version","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"f1PuHfPwTQNkTLsWQA7V","title":"ComputerName Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/computer-name","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"BkpWYC0f2bvZDRH7msmL","title":"Interfaces Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/interfaces","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"xUP304aP0E1kwKuH4URO","title":"NetworkCards Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/network-cards","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"V2cMzzUMXKdKIm4t3R9r","title":"TimeZoneInformation Registry Key","pathname":"/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Registry Artifacts","emoji":"1f5c4"}]},{"id":"ulr3gGG8KTeATKCr4BPe","title":"Filesystem Artifacts","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts","siteSpaceId":"sitesp_cmklc","emoji":"1f4c2","breadcrumbs":[{"label":"Artifacts by Type"}]},{"id":"w6iyrjbE7GflTiaYkbg3","title":"USN Journal","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"iB1DRSlTPRDarzeRzwS6","title":"Prefetch","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"jiO7zSMH41iXruxyVAlK","title":"AutomaticDestinations Jumplists","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"jAaQ6TvpCyAidNRxUnz2","title":"Recycle Bin $I/$R Files","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"KRa8Up7qsPl8H0dHPNZt","title":"Task Scheduler Files","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"8k60OpaUSKwaOcLnQnmH","title":"Windows Error Reporting Files (.WER)","pathname":"/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Filesystem Artifacts","emoji":"1f4c2"}]},{"id":"XIp0lcIuZLHXK5H5c4HG","title":"Event Log Artifacts","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts","siteSpaceId":"sitesp_cmklc","emoji":"1f4c5","breadcrumbs":[{"label":"Artifacts by Type"}]},{"id":"3rz3DY8KTjqMxZFV8DTm","title":"Task Scheduler Operational Log","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"VwTexy1BuGmLkLlZZNx1","title":"TerminalServices-RDPClient","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"LtZkgwwTR7QCtXfm0l1x","title":"EventID 1024: RDP ClientActiveX is trying to connect to the server","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"TerminalServices-RDPClient"}]},{"id":"CIiXHHpEcAphSryJtMYg","title":"Security","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/security","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"snWotioHQLeqOC4rAS1r","title":"EventID 4688: A new process has been created","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Security"}]},{"id":"dgv3NkCyWfeULWTgtJyt","title":"EventID 4624: An account was successfully logged on","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Security"}]},{"id":"z0riyeh4bldz6vKj4JiZ","title":"System","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/system","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"FejkQv7jHvZAGFJMRmiw","title":"Event ID 7045: Service Installed","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"System"}]},{"id":"SJWE6EQ4mxtpk8QT7PxO","title":"Microsoft Windows Windows Firewall With Advanced Security","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"VxIiM4wvbKobgGKTtCLM","title":"EventID 2004: Firewall Rule Added","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"HN15mTucjsXzNq73zQ8A","title":"EventID 2005: Firewall Rule Modified","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"rCK5NtuoMN6wlBEDyynu","title":"EventID 2006: Firewall Rule Deleted","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"iy8zjIEAVoFnebpyfbZI","title":"EventID 2071: Firewall Rule Added","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"g4J07F6UkzQZDjgAkye0","title":"EventID 2073: Firewall Rule Modified","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"JPKaQJVScvCxFqrp1n7I","title":"EventID 2052: Firewall Rule Deleted","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Windows Firewall With Advanced Security"}]},{"id":"MVNhlXkZlHdz1PxPc4W8","title":"TerminalServices-LocalSessionManager","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"C61w0xWIUXcrzcOIPAu3","title":"EventID 21: Session logon succeeded","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"TerminalServices-LocalSessionManager"}]},{"id":"Ek6JlHXy3SqcNTnxVwl2","title":"EventID 24: Session has been disconnected","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"TerminalServices-LocalSessionManager"}]},{"id":"bP1seep6Wr7EZ6sm3b4L","title":"TerminalServices-RemoteConnectionManager","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"fSLwAwkIK8rlIWT7PDJa","title":"EventID 1149: User Authentication Succeeded","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"TerminalServices-RemoteConnectionManager"}]},{"id":"yz1TpcjmuXgJ40lebzNU","title":"Microsoft Windows Shell Core","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"dwPcwHhtKQGupzfPqnFP","title":"EventID 9707: Command Execution Started","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft Windows Shell Core"}]},{"id":"YV0KaZbPq3Pohuiixc27","title":"Microsoft-Windows-PowerShell","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"}]},{"id":"XBwToqli6IQIjnUISyVe","title":"EventID 4104: PowerShell Script Block Logging","pathname":"/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Type"},{"label":"Event Log Artifacts","emoji":"1f4c5"},{"label":"Microsoft-Windows-PowerShell"}]},{"id":"oGZIPzfiVY8hahQmFq4c","title":"Execution","pathname":"/windows-forensics/artifacts-by-activity/execution","siteSpaceId":"sitesp_cmklc","emoji":"1f3c3-2642","description":"Execution artifacts provide evidence of programs and applications being run on a system.","breadcrumbs":[{"label":"Artifacts by Activity"}]},{"id":"vnDLfD9RBoVh5UOGGhiw","title":"Evidence of Execution","pathname":"/windows-forensics/artifacts-by-activity/execution/evidence-of-execution","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"NwFJ38aWYFJ7FKQuKQMQ","title":"First Executed","pathname":"/windows-forensics/artifacts-by-activity/execution/first-executed","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"6Pmka7uFtKElhrhDdFDv","title":"Last Executed","pathname":"/windows-forensics/artifacts-by-activity/execution/last-executed","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"agskwSdYbi8RGqMN5CmF","title":"Command Line Options","pathname":"/windows-forensics/artifacts-by-activity/execution/command-line-options","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"7PsIbY4z0aa7D6FfSddw","title":"Execution Account","pathname":"/windows-forensics/artifacts-by-activity/execution/execution-account","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"qnouj5GLuiwXN3ZPDBUb","title":"Parent and Child Information","pathname":"/windows-forensics/artifacts-by-activity/execution/parent-and-child-information","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"RRVYscBDy6RJr6mTXYPa","title":"Execution Timestamp","pathname":"/windows-forensics/artifacts-by-activity/execution/execution-timestamp","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Execution","emoji":"1f3c3-2642"}]},{"id":"vVsqdJrkyVYWwHovUSac","title":"File Activity","pathname":"/windows-forensics/artifacts-by-activity/file-activity","siteSpaceId":"sitesp_cmklc","emoji":"1f5d2","description":"File Activity artifacts are generated by filesystem actions such as creating, modifying, or deleting files.","breadcrumbs":[{"label":"Artifacts by Activity"}]},{"id":"Ywpi93Ywi9miCUTepCc9","title":"File Creation","pathname":"/windows-forensics/artifacts-by-activity/file-activity/creation","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"rmCTRMRp4lWv3ij2JpeD","title":"File Deletion","pathname":"/windows-forensics/artifacts-by-activity/file-activity/deletion","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"cR8iRSw4xASw6iJFDAif","title":"Last Modified","pathname":"/windows-forensics/artifacts-by-activity/file-activity/last-modified","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"efZNGZJl4GLKYlg9flem","title":"File Origin","pathname":"/windows-forensics/artifacts-by-activity/file-activity/origin","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"nmru9qr1jF7O0ZoLkyQK","title":"File Size","pathname":"/windows-forensics/artifacts-by-activity/file-activity/size","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"V3cDcDJogcr4slquHEzB","title":"File Path","pathname":"/windows-forensics/artifacts-by-activity/file-activity/file-path","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"S13XZNNiwIfkltOIBXh0","title":"File Hash","pathname":"/windows-forensics/artifacts-by-activity/file-activity/file-hash","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"File Activity","emoji":"1f5d2"}]},{"id":"4QHSm93YDtw9L0DoJZaK","title":"Account Activity","pathname":"/windows-forensics/artifacts-by-activity/account-activity","siteSpaceId":"sitesp_cmklc","emoji":"1f468-1f527","description":"In certain circumstances, some artifacts may provide information about an account, or attribution of certain activity to a particular account.","breadcrumbs":[{"label":"Artifacts by Activity"}]},{"id":"SR93Ed5OolPqIElnPwwi","title":"Account Creation Time","pathname":"/windows-forensics/artifacts-by-activity/account-activity/creation-time","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"PHoo4IxRnS9YMLtaOoOz","title":"Group Membership","pathname":"/windows-forensics/artifacts-by-activity/account-activity/group-membership","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"HlxBEwdepRD9XWo5zvOO","title":"Last Login","pathname":"/windows-forensics/artifacts-by-activity/account-activity/last-login","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"Zo5HzeeY0PwwSEjtwJ2Z","title":"Login History","pathname":"/windows-forensics/artifacts-by-activity/account-activity/login-history","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"xrUgKsmrRTjjCfRttgUo","title":"Logon ID","pathname":"/windows-forensics/artifacts-by-activity/account-activity/logon-id","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"la4cdnb3GjXGDL7pcWaV","title":"Relative Identifier","pathname":"/windows-forensics/artifacts-by-activity/account-activity/relative-identifier","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"LRJZQZsAd12i4mDfGwuK","title":"Security Identifier","pathname":"/windows-forensics/artifacts-by-activity/account-activity/security-identifier","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"xb2jtwMPGcVKWaKDBigr","title":"Username","pathname":"/windows-forensics/artifacts-by-activity/account-activity/username","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Account Activity","emoji":"1f468-1f527"}]},{"id":"qx37jSZQMn1pQ8oy1fly","title":"Network Activity","pathname":"/windows-forensics/artifacts-by-activity/network-activity","siteSpaceId":"sitesp_cmklc","emoji":"1f30e","description":"Network activity can be analyzed through certain artifacts, which may provide information such as the source or destination of certain network traffic, or the volume of that activity.","breadcrumbs":[{"label":"Artifacts by Activity"}]},{"id":"vyOW1UW4D6MtZx1ltSwW","title":"Evidence of Network Activity","pathname":"/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"pD9PmWKLXCWnvIZcuiXo","title":"Destination Identification","pathname":"/windows-forensics/artifacts-by-activity/network-activity/destination-identification","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"T5a0mfe6TprUne1T4K7M","title":"Source Identification","pathname":"/windows-forensics/artifacts-by-activity/network-activity/source-identification","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"ylJHwaSzYnCr2VFHo6Yn","title":"Transmit Volume","pathname":"/windows-forensics/artifacts-by-activity/network-activity/transmit-volume","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"Gm5UmJTsXFgVcpGh9nmt","title":"Firewall Activity","pathname":"/windows-forensics/artifacts-by-activity/network-activity/firewall-activity","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"3L7rKTtIUSOJAghsoAkH","title":"Wireless Activity","pathname":"/windows-forensics/artifacts-by-activity/network-activity/wireless-activity","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Network Activity","emoji":"1f30e"}]},{"id":"PCiUFva8Hseq7qoQcHtO","title":"Browser Activity","pathname":"/windows-forensics/artifacts-by-activity/browser-activity","siteSpaceId":"sitesp_cmklc","emoji":"1f50d","breadcrumbs":[{"label":"Artifacts by Activity"}]},{"id":"5CiMhNTxGd7BLvbp6MVM","title":"History","pathname":"/windows-forensics/artifacts-by-activity/browser-activity/history","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Browser Activity","emoji":"1f50d"}]},{"id":"oCL9c3WbeYVCKIDxq8oQ","title":"Firefox places.sqlite Database","pathname":"/windows-forensics/artifacts-by-activity/browser-activity/history/firefox-places-sqlite","siteSpaceId":"sitesp_cmklc","description":"","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Browser Activity","emoji":"1f50d"},{"label":"History"}]},{"id":"aT98hYmJ3fThOsws3wPH","title":"Bookmarks","pathname":"/windows-forensics/artifacts-by-activity/browser-activity/bookmarks","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Browser Activity","emoji":"1f50d"}]},{"id":"Kla05e0EhRmjJcC4Egkq","title":"Stored Passwords/Secrets","pathname":"/windows-forensics/artifacts-by-activity/browser-activity/stored-passwords-secrets","siteSpaceId":"sitesp_cmklc","breadcrumbs":[{"label":"Artifacts by Activity"},{"label":"Browser Activity","emoji":"1f50d"}]},{"id":"A9WSUHDPatjWctCckWyA","title":"System Enumeration","pathname":"/windows-forensics/artifacts-by-activity/system-enumeration","siteSpaceId":"sitesp_cmklc","emoji":"1f5a5","breadcrumbs":[{"label":"Artifacts by Activity"}]}]}