Update !SANS_Triage.tkape

add pointers to Targets referenced
salty4n6 · Dec 31, 2020 · cf618c6 · cf618c6
1 parent 8b09673
commit cf618c6
Showing 1 changed file with 35 additions and 22 deletions.
diff --git a/Targets/Compound/!SANS_Triage.tkape b/Targets/Compound/!SANS_Triage.tkape
@@ -1,14 +1,13 @@
 Description: SANS Triage Collection.  
-# No Compound Targets used in this target.  That is intended to make this target 
-# "self documenting" for the SANS 500 Students.
-
 Author: Mark Hallman
 Version: 1.1
 Id: 5dbe9218-fd3d-4d86-88aa-56001d38e7f5
 RecreateDirectories: True
 Targets:
 
-# Event Logs
+# No Compound Targets used in this target.  That is intended to make this target "self documenting" for the SANS FOR500 Students.
+
+# Event Logs - .\Targets\Windows\EventLogs.tkape
     -
         Name: Event logs XP
         Category: EventLogs
@@ -25,7 +24,7 @@ Targets:
         Path: C:\Windows.old\Windows\System32\winevt\logs\
         FileMask: '*.evtx'
 
-# Evidence of Execution
+# Evidence of Execution - .\Targets\Compound\EvidenceOfExecution.tkape and .\Targets\Logs\PowerShellConsole.tkape
     -
         Name: Prefetch
         Category: Prefetch
@@ -82,7 +81,7 @@ Targets:
         Path: C:\Users\%user%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\
         FileMask: ConsoleHost_history.txt
 
-# File System    
+# File System - .\Targets\Compound\FileSystem.tkape
     -
         Name: $MFT
         Category: FileSystem
@@ -130,7 +129,7 @@ Targets:
         AlwaysAddToQueue: True
         SaveAsFileName: $T
 
-# LNK Files and JumpLists        
+# LNK Files and JumpLists - .\Targets\Windows\LNKFilesAndJumpLists.tkape  
     -
         Name: LNK files from Recent
         Category: LNKFiles
@@ -163,19 +162,33 @@ Targets:
         Path: C:\System Volume Information\_restore*\RP*\
         FileMask: '*.LNK'
 
-# Recycle Bin and Recycler 
+# Recycle Bin and Recycler - .\Targets\Windows\RecycleBin_DataFiles.tkape and .\Targets\Windows\RecycleBin_InfoFiles.tkape
+    -
+        Name: Recycle Bin - Windows Vista+
+        Category: FileDeletion
+        Path: C:\$Recycle.Bin\
+        FileMask: '$R*.*'
+        Recursive: True
+    -
+        Name: RECYCLER - WinXP
+        Category: FileDeletion
+        Path: C:\RECYCLE*\
+        FileMask: 'D*.*'
+        Recursive: True
     -
-        Name: $Recycle.Bin
-        Category: Deleted Files
+        Name: Recycle Bin - Windows Vista+
+        Category: FileDeletion
         Path: C:\$Recycle.Bin\
+        FileMask: '$I*.*'
         Recursive: True
     -
-        Name: RECYCLER WinXP
-        Category: Deleted Files
-        Path: C:\RECYCLER\
+        Name: RECYCLER - WinXP
+        Category: FileDeletion
+        Path: C:\RECYCLE*\
+        FileMask: 'INFO2'
         Recursive: True
 
-# System Registry Files
+# System Registry Files - .\Targets\Windows\RegistryHivesSystem.tkape
     -
         Name: SAM registry transaction files
         Category: Registry
@@ -382,7 +395,7 @@ Targets:
         Path: C:\System Volume Information\_restore*\RP*\snapshot\
         FileMask: _REGISTRY_*
 
-# User Registry Files
+# User Registry Files - .\Targets\Windows\RegistryHivesUser.tkape
     -
         Name: NTUSER.DAT registry hive XP
         Category: Registry
@@ -431,7 +444,7 @@ Targets:
 
 # System Level Artifacts  
 
-# Scheduled Tasks
+# Scheduled Tasks - .\Targets\Windows\ScheduledTasks.tkape
     -
         Name: at .job
         Category: Persistence
@@ -463,7 +476,7 @@ Targets:
         Path: C:\Windows.old\Windows\System32\Tasks\
         Recursive: True
 
-# System Resource Usage Monitor
+# System Resource Usage Monitor - .\Targets\Windows\SRUM.tkape
     -
         Name: SRUM
         Category: Execution
@@ -475,7 +488,7 @@ Targets:
         Path: C:\Windows.old\Windows\System32\SRU\
         Recursive: True
 
-# Thumbcache.db
+# Thumbcache.db - .\Targets\Windows\ThumbCache.tkape
     -
         Name: Thumbcache DB
         Category: FileKnowledge
@@ -516,7 +529,7 @@ Targets:
 
 # User Communication         
 
-# Outlook PST and OST files
+# Outlook PST and OST files - .\Targets\Apps\OutlookPSTOST.tkape
     -
         Name: PST XP
         Category: Communications
@@ -538,7 +551,7 @@ Targets:
         Path: C:\Users\%user%\AppData\Local\Microsoft\Outlook\
         FileMask: '*.ost'
 
-# Skype
+# Skype - .\Targets\Apps\Skype.tkape
     -
         Name: main.db (App <v12)
         Category: Communications
@@ -570,7 +583,7 @@ Targets:
         Path: C:\Users\%user%\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\*.leveldb\
         FileMask: '*.log'
 
-# Web Browser Artifacts        
+# Web Browser Artifacts - .\Targets\Compound\WebBrowsers.tkape
     -
         Name: Chrome bookmarks XP
         Category: Communications
@@ -890,7 +903,7 @@ Targets:
         Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCookies\
         Recursive: True
 
-# Windows Timeline
+# Windows Timeline - .\Targets\Windows\WindowsTimeline.tkape
     -
         Name: ActivitiesCache.db
         Category: FileFolderAccess