FCapture Features
After executing F-Capture and clicking "Accept", there is the "Advanced" option button. This button describes what each checkbox does and the functions it triggers.
- Active Processes
- Autorun Items
- Browser Data
- Drive Imaging
- File Associations
- File System Info
- Jump Lists
- Keyword Searches
- Memory Imaging
- MRU Lists
- Network Interfaces
- Network Share Info
- Packet Capture
- Peripheral Devices
- Prefetch Files
- RDP Cache
- Scan Registry
- Scheduled Tasks
- Shellbags
- Screenshot Windows
- SRUM Info
- Swap Files
- UserAssist Info
- Windows Services
Template
Triggers functions >> xxxxxxxxx
Description:
xxxxxxxxxx xxxxx xxxxxx xxxxxx
Triggers functions >> Set-Disks-List, Disk-Image
Description:
Uses wbAdmin start backup to make a backup image of the drives selected in the advanced menu imaging checklist.
Triggers functions >> File-Associations
Description:
Lists file extensions with the associated program id. Uses cmd's assoc and captures the output.
Triggers functions >> PhysicalMemory-Image
Description:
Uses WinPmem to create a live image copy of the device's physical memory. Outputs to an AFF4 file. AFF4 is open forensic imaging format and can be opened by most zip software. See also Swap Files.
Triggers functions >> Network-Interfaces
Description:
Records the ip and properties of visible and invisible net adapters. Uses Get-NetAdapter and ipconfig.
Triggers functions >> Packet-Capture-Start, Packet-Capture-Stop
Description:
Starts a Netsh Trace with the the scenarios InternetClient, InternetServer, NetConnection which captures packets to an etl file viewable in Microsoft Message Analyzer.
Triggers functions >> Scan-Registry
Description:
Opens RegScanner which allows one to scan the Registry.
Triggers functions >> Swap-Files
Description:
Uses WinPmem to create a live image copy of the device's physical memory and swap files. This can be enabled with or with the Memory Imaging checkbox as both memory and swap files are collected at the same time. See also Memory Imaging.
Triggers functions >> Screenshot
Description:
Calls a macro function to take screenshots of every current open windows/desktop and cycle through each of them, saving each screenshot as a jpg.
Triggers functions >> Scheduled-Tasks
Description:
Extracts and copies the .xml files/directories that represent scheduled tasks from the "C:\Windows\System32\Tasks" folder.
Triggers functions >> Autorun-Items
Description:
Records registry keys associated with autorun items, or registry keys that launch programs or applications during the boot process. Some common autorun locations include: HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (ProfilePath)\Start Menu\Programs\Startup
Triggers functions >> KeyWord-Search
Description:
Locates and exports the WordWheelQuery registry key at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Triggers functions >> UserAssist
Description:
Locates and exports the UserAssist registry key at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Triggers functions >> SRUM
Description:
Gathers SRUM Information, (including Application resource usage, Energy usage (long term), Network connections, Network usage, and Push notification data) by locating and copying the SRUDB.dat file from:
*:\Windows\System32\sru\
Triggers functions >> Jump-List
Description:
For each user, locates and copies the jump list directory located at:
%AppData%\Microsoft\Windows\Recent
Triggers functions >> Windows-Services
Description:
Gets the list of all running Windows services on the machine, along with a small amount of detail on each one, and then writes this list to a text file called RunningServices.txt
Triggers functions >> Active-Processes
Description:
Gets the list of all active processes on the machine, along with a small amount of detail on each one, and then writes this list to a text file called ActiveProcesses.txt
Triggers functions >> Prefetch
Description:
Copies the Prefetch folder (located at *:\Windows\Prefetch) and all of its contents
Triggers functions >> Network-Share-Info
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Network
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPounts2
Triggers functions >> Shellbags
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Microsoft\Windows\Shell\Bags
Triggers functions >> Remote-Desktop
Description:
For each user, locates and copies the folder (and all of its contents) located at:
*:\Users*\AppData\Local\Microsoft\Terminal Server Client\Cache
Triggers functions >> MRU
Description:
Exports the following registry keys, for each user, (if they exist):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
Triggers functions >> Browser-Data-Retrieval
Description:
For each user that has the associated browser paths, copy all contents from the folders: *:\Users*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default *:\Users*\AppData\Local\Google\Chrome\User Data\Default *:\Users*\AppData\Roaming\Mozilla\Firefox\Profiles *:\Users*\AppData\Roaming\Opera Software\Opera Stable
Triggers functions >> Peripheral-Devices
Description:
Exports a CSV list of all peripheral devices installed to peripheral-devices.csv
Triggers functions >> Filesystem-info
Description:
Exports file system information to Filesystem-Info.csv