Evids
Star

Evids is a list of known artifacts to check which can give you an insight of user activities.

This was inspired by the GTFOBins project for Windows. Initial data taken from SANS poster - “Evidence of..”.

List of available categories available here. Instruction on how to contribute is available here.

Artifact Categories
XP Search – ACMRU
ADS Zone.Identifier
Amcache.hve
Authentication Events
BAM/DAM
Browser Artifacts
Browser Cache
Browser Download Manager
Browser History
Browser Search Terms
Cookies
Drive Letter and Volume Name
Email Attachments
First/Last Times
Flash & Super Cookies
Google Analytics Cookies
IE|Edge file://
Jump Lists
Key Identification
Last Login
Last Password Change
Last-Visited MRU
Shortcut (LNK) Files
Logon Types
Network History
Office Recent Files
Open/Save MRU
PNP Events
Prefetch
RDP Usage
Recent Files
RecentApps
Recycle Bin (Win7/8/10)
Recycle Bin (WinXP)
Services Events
Session Restore
Shell Bags
Shimcache
Skype History
System Resource Usage Monitor (SRUM)
Success/Fail Logons
Thumbcache
Thumbs.db
Timezone
Unique USB (User)
UserAssist
Volume Serial Number
Windows 10 Timeline
WLAN Event Logs
WordWheelQuery
No artifact matches...