FCapture Features
After executing F-Capture and clicking "Accept", you may perform many different actions. By default, the scan button has all features enabled. There is also an "Advanced" option button that allows users to customize their scan. This button describes what each checkbox does and the functions it triggers.
- Active Processes
- AmCache*
- Autorun Items
- Browser Data
- DLLs*
- Drive Imaging
- Event Logs*
- File Associations
- File System Info
- Image Scan*
- Installed Programs*
- Jump Lists
- Keyword Searches
- LNK Files*
- Memory Imaging
- MRU Lists
- Network Interfaces
- Network Profiles*
- Network Share Info
- Packet Capture
- Peripheral Devices
- Prefetch Files
- RDP Cache
- Recycle Bin*
- Registry
- Scheduled Tasks
- Screenshot Windows
- Shellbags
- ShimCache*
- SRUM Info
- Startup Programs*
- System Info*
- Swap Files
- Timezone Info*
- UserAssist Info
- Windows Services
-Note: Features with an asterisk next to them have not been fully documented yet-
Template
Triggers functions >> xxxxxxxxx
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Active-Processes
Description:
Gets the list of all active processes on the machine, along with a small amount of detail on each one, and then writes this list to a text file called ActiveProcesses.txt
Triggers functions >> AmCache
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Autorun-Items
Description:
Records registry keys associated with autorun items, or registry keys that launch programs or applications during the boot process. Some common autorun locations include: HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (ProfilePath)\Start Menu\Programs\Startup
Triggers functions >> Browser-Data-Retrieval
Description:
For each user that has the associated browser paths, copy all contents from the folders: *:\Users*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default *:\Users*\AppData\Local\Google\Chrome\User Data\Default *:\Users*\AppData\Roaming\Mozilla\Firefox\Profiles *:\Users*\AppData\Roaming\Opera Software\Opera Stable
Triggers functions >> DLLs
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Set-Disks-List, Disk-Image
Description:
Uses wbAdmin start backup to make a backup image of the drives selected in the advanced menu imaging checklist.
Triggers functions >> Event-Logs
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> File-Associations
Description:
Lists file extensions with the associated program id. Uses cmd's assoc and captures the output.
Triggers functions >> Filesystem-info
Description:
Exports file system information to Filesystem-Info.csv
Triggers functions >> Image-Scan
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Installed-Programs
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Jump-List
Description:
For each user, locates and copies the jump list directory located at:
%AppData%\Microsoft\Windows\Recent
Triggers functions >> KeyWord-Search
Description:
Locates and exports the WordWheelQuery registry key at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Triggers functions >> LNK-Files
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> PhysicalMemory-Image
Description:
Uses WinPmem to create a live image copy of the device's physical memory. Outputs to an AFF4 file. AFF4 is open forensic imaging format and can be opened by most zip software. See also Swap Files.
Triggers functions >> MRU
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Triggers functions >> Network-Interfaces
Description:
Records the ip and properties of visible and invisible net adapters. Uses Get-NetAdapter and ipconfig.
Triggers functions >> Network-Profiles
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Network-Share-Info
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Network
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPounts2
Triggers functions >> Packet-Capture-Start, Packet-Capture-Stop
Description:
Starts a Netsh Trace with the the scenarios InternetClient, InternetServer, NetConnection which captures packets to an etl file viewable in Microsoft Message Analyzer.
Triggers functions >> Peripheral-Devices
Description:
Exports a CSV list of all peripheral devices installed to peripheral-devices.csv
Triggers functions >> Prefetch
Description:
Copies the Prefetch folder (located at *:\Windows\Prefetch) and all of its contents
Triggers functions >> Remote-Desktop
Description:
For each user, locates and copies the folder (and all of its contents) located at:
*:\Users*\AppData\Local\Microsoft\Terminal Server Client\Cache
Triggers functions >> Recycle-Bin
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Scan-Registry
Description:
Opens RegScanner which allows one to scan the Registry.
Triggers functions >> Scheduled-Tasks
Description:
Extracts and copies the .xml files/directories that represent scheduled tasks from the "C:\Windows\System32\Tasks" folder.
Triggers functions >> Screenshot
Description:
Calls a macro function to take screenshots of every current open windows/desktop and cycle through each of them, saving each screenshot as a jpg.
Triggers functions >> Shellbags
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Microsoft\Windows\Shell\Bags
Triggers functions >> ShimCache
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> SRUM
Description:
Gathers SRUM Information, (including Application resource usage, Energy usage (long term), Network connections, Network usage, and Push notification data) by locating and copying the SRUDB.dat file from:
*:\Windows\System32\sru\
Triggers functions >> Startup-Programs
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> System-Info
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Swap-Files
Description:
Uses WinPmem to create a live image copy of the device's physical memory and swap files. This can be enabled with or with the Memory Imaging checkbox as both memory and swap files are collected at the same time. See also Memory Imaging.
Triggers functions >> Timezone-Info
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> UserAssist
Description:
Locates and exports the UserAssist registry key at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Triggers functions >> Windows-Services
Description:
Gets the list of all running Windows services on the machine, along with a small amount of detail on each one, and then writes this list to a text file called RunningServices.txt