Artifact Coverage Matrix¶
This matrix is the working map for windows-full: what question each artefact answers, where it lands, and which reports use it. DuckDB stores parsed fields only. Large bodies and extracted content belong in OpenSearch with references back to the parsed origin.
| Question | Sources | Parser / Tool | Primary Tables | Reports | Notes |
|---|---|---|---|---|---|
| What files existed and when? | $MFT, mounted FAT/exFAT directory listings, USN Journal, $LogFile, $I30 |
MFTECmd, MountedFilesystemInventory, custom NTFS parsers | mft_entries, filesystem_entries, usn_journal_entries, ntfs_* |
file-history, file-dossier, files, filesystem-review, usn-*, ntfs-* |
NTFS uses MFT/USN where available. FAT/exFAT mounted volumes get a case-owned listing even when there is no $MFT. |
| What files were opened or referenced? | LNK, Jump Lists, RecentDocs, Office MRU, Common Dialog, Shellbags, Windows Search | LECmd, JLECmd, Registry parser, Shellbags parser, SIDR / Windows Search parsers | shortcut_items, registry_artifacts, common_dialog_items, shellbag_entries, windows_search_files, windows_search_indexed_content |
file-history, shortcuts, shellbags, common-dialog-items, office-backstage, communications |
Shortcut rows retain source table, row number, app id, arguments, working directory, machine and network details where emitted by the tool. Indexed body/content remains in OpenSearch. |
| What applications likely executed? | Prefetch, UserAssist, BAM/DAM, RunMRU, LastVisitedPidlMRU, SRUM, Capability Access Manager, selected event logs | PECmd, Registry parser, SrumParser, EVTX parser | prefetch_items, prefetch_run_times, registry_artifacts, srum_records, evtx_events |
execution, execution-correlation, prefetch, srum-context, taskbar-feature-usage |
Amcache and ShimCache are treated as presence indicators, not execution proof. |
| What applications existed? | Amcache, ShimCache, installers, uninstall keys, MFT | Amcache parser, ShimCache parser, Registry parser | amcache_entries, shimcache_entries, registry_artifacts, mft_entries |
amcache, shimcache, uninstalled-applications, interesting-executables |
Useful for triage and correlation, but not stand-alone execution evidence. |
| What remote access happened? | RDP event logs, RDP cache, Terminal Server Client keys, SRUM, VPN/RAS phonebooks and registry | EVTX parser, RDP cache parser, Registry parser, SrumParser | evtx_events, rdp_cache_items, rdp_visual_observations, registry_artifacts, srum_records |
rdp, remote-access, remote-access-attribution, vpn-*, srum-context |
RDP visual observations come from interpreted cache contact sheets. remote-access-attribution ties incoming RDP/logon windows to USB, local activity, and cloud/account context. |
| What removable devices were present? | USBSTOR, UASP/SCSI, HID, SWD/WPDBUSENUM, MountedDevices, Windows Portable Devices, MountPoints2, DeviceMigration, partition diagnostics, SetupAPI logs | Registry parser, USB summary builder, EVTX parser, SetupApiParser | usb_devices, usb_storage_devices, usb_connection_events, setupapi_device_events, registry_artifacts, evtx_events |
external-storage, usb-dossier, usb-verbose, device-inventory |
device-inventory covers non-storage device categories; storage-focused movement analysis remains in USB reports. Event-log-only and SetupAPI-only devices are included when registry summaries are not available. |
| Was data copied to removable media? | USN, MFT, LNK, Jump Lists, Shellbags, USB volume data | Correlation builders | copied_file_indicators, usb_file_correlations |
copied-usb-files, usb-files, copied-file-drilldown |
Uses normalized paths and volume serials where available. |
| What browser activity exists? | History, downloads, cache, cookies, sessions, site settings, notifications, sync and LevelDB/IndexedDB/OPFS candidates | Browser parsers | browser_*, messaging_records |
browser-*, browser-deep-storage, web-cloud-correlations |
Deep-storage report inventories parsed artefacts and candidates. Raw IndexedDB/OPFS content is not bulk copied into DuckDB. Selective content parsers should route bodies/content to OpenSearch. |
| What communications, notes, and local AI/app content exist? | PST, OST, MSG, EML, mailbox attachments, chat stores, Electron LevelDB candidates, AI assistant app stores, Obsidian/Notion/OneNote note stores, application recent-file/config artifacts | Mailbox parser, messaging/application parsers, file-content parser for selected loose documents | mailbox_messages, mailbox_attachments, messaging_messages, messaging_records, windows_search_indexed_content |
email-artifacts, mailbox-*, messaging-*, communications, communication-review |
Message bodies, note bodies, AI assistant conversation text, and file/message content are indexed in OpenSearch, not duplicated as large DuckDB text. |
| Did files originate from email? | Mailbox attachment metadata, file history, Outlook Secure Temp, Windows Search, MFT | Mailbox parser, PackageArtifactsParser, Registry parser, correlation reports | mailbox_attachments, mailbox_messages, package_artifacts, registry_artifacts, mft_entries, shortcut_items |
file-history, mailbox-attachment-coverage, mailbox-attachment-copies |
Conversation index/topic, headers, attachment names, and Outlook Secure Temp locations are retained as bounded metadata. |
| What cloud storage was configured or used? | OneDrive, Dropbox, Google Drive, iCloud registry/config, browser/cloud references, SRUM, package/app artifacts | Registry parser, browser parsers, SrumParser, package/application parsers | registry_artifacts, cloud_sync_artifacts, browser_*, srum_records, package_artifacts, onedrive_items, onedrive_log_entries |
cloud-configuration, cloud-artifacts, cloud-files, web-cloud-correlations, srum-context |
Registry rows include source key and value. Browser/WebCache rows distinguish web portal access from local sync-client activity. |
| What persistence/autostarts exist? | Run keys, services, scheduled tasks, startup folders, WMI-style registry data, browser/native messaging candidates | Registry, EVTX, task parsers | registry_artifacts, evtx_events, task/service tables where available |
autostarts, persistence, malware-hiding-places |
Malware hiding report cross-references parsed autostart and task sources. |
| What privacy/capability access exists? | Capability Access Manager, SRUM, event logs | Registry parser, SrumECmd | registry_artifacts, srum_records, event_logs |
execution, user-activity, srum-context |
Contextual support for app usage and capability access. |
| What server access logs exist? | SUM / UAL logs | SUM/UAL parser | ual_records |
ual |
Expected to be absent on many workstation images but part of windows-full. |
| What CD/DVD burning evidence exists? | Burn folders, staging paths, event/log artefacts | File and registry artefact parsing | mft_entries, registry_artifacts, related file tables |
cd-burning |
Focused triage report for burning/staging evidence. |
| What application crash/error context exists? | Windows Error Reporting files, Defender logs | WindowsErrorReportingParser, WindowsDefenderParser | windows_error_reports, Defender report rows |
windows-error-reporting, Defender-related reports where available |
Useful context around crashes, blocked actions, and suspicious application behavior. |
| What nested evidence exists inside images or triage sets? | VHD/VHDX/VMDK, archives, nested E01/RAW-style evidence, KAPE/EZ reports | Evidence source discovery, nested evidence inventory, report-bundle import | nested_evidence_items, normalized artifact tables after import |
nested-evidence, normal artifact reports after import |
Nested disks are inventoried for analyst decision; compressed content is listed by metadata and extracted selectively without bulk raw content storage. |
Open Work Items¶
These are the remaining actionable items from the reference review:
- Add optional server-side cloud log importers as source-labeled non-image evidence.