Startup Folder

windowsPersistence MechanismsDisk Image

Location

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Description

Per-user and all-users startup folders containing shortcuts, scripts, or executables that run automatically at user logon. Items can be LNK files, batch scripts, VBS scripts, or direct executables.

Forensic Value

The Startup folder is a simple but effective persistence mechanism. Any file placed here executes at user logon with the privileges of the logging-on user. Per-user folders provide user attribution for the persistence mechanism. File creation timestamps on items in the Startup folder indicate when persistence was installed. Comparing contents against a known-good baseline or across multiple systems identifies attacker-added persistence items.

Tools Required

KAPEAutoruns (Sysinternals)PowerShelldir /s

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical