cit.cit#
$ target-query <path/to/target> -f cit.cit
Module |
|
Output |
|
Module documentation
Plugin that parses CIT data from the registry.
Reference: - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
Function documentation
Return CIT data from the registry for executed executable information.
CIT data is stored at HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCITSystem. It’s supposedly application usage data that has yet-to-be flushed to the amcache.
Some of its values are still unknown. Generally only available before Windows 10.