SlideShare a Scribd company logo

Windows Registry Analysis

H
Himanshu0734

Important windows artifacts spots, from Windows XP, Windows 7 and Windows 8 which helps for computer forensic.

Education
1 of 32
Download to read offline
WINDOWS REGISTRY Analysis Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003, Windows7/8 store configuration data in registry. It is a central repository for configuration data that is stored in a hierarchical manner.System, users, applications and hardware in Windows make use of the registry to store their configuration and it is constantly accessed for reference during their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and MS- DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows registry contains information on user accounts, typed URLs, network shared, and Run command history. Aspects discussed in this paper are based on Windows XP (Service Pack 2) Windows 7 and windows 8 registry. The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on your computer. Windows continually refers to the information in the registry. We should not need to make manual changes to the registry because programs and applications typically make all the necessary changes automatically. An incorrect change to your computer's registry could render your computer inoperable. However, if a corrupt file appears in the registry, you might be required to make changes. We strongly recommend that you back up the registry before making any changes and that you only change values in the registry that you understand or have been instructed to change by a source you trust. Five root keys exist:  HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)  HKU: HKEY_USERS (User-specific data)  HKCR: HKEY_CLASSES_ROOT (application settings,file associations,class registrations for COM objects) » Link to HKLMSoftwareClasses  HKCC: HKEY_CURRENT_CONFIG (Current hardware conf.) » Link to HKLMSystemCurrentControlSetHardware ProfilesCurrent  HKCU: HKEY_CURRENT_USER (Current user's data) » Link to HKU<SID of current user>  File locations:  HKLMSAM %SYSTEMROOT%System32configSAM  HKLMSecurity %SYSTEMROOT%System32configSECURITY  HKLMSoftware %SYSTEMROOT%System32configsoftware  HKLMSystem %SYSTEMROOT%System32configsystem  HKLMHardware stored in memory only – non on disk!  HKU.Default %SYSTEMROOT%System32configdefault  HKUSID %USERPROFILE%NTUSER.DAT  HKUSID_Classes %USERPROFILE%Local Settings Application DataMicrosoftWindowsUsrClass.dat
 Registry files and their typical content:  NTUSER.DAT Protected storage for user, MRU lists, User’s preference settings.  DEFAULT System settings set during initial install of operating system.  SAM Security settings and user account management.  SECURITY Security settings.  SOFTWARE all installed programs on the system and their settings associated with them.  SYSTEM System settings. REGISTRY STRUCTURE Windows Structure Logical view key(Windows 7)
FORENSIC-RELETED REGISTRYKEYS Time Zone Information The TZI key is a critical reference for supporting a consistent timeline of evidence. There are certain values contained within this key that can help determine time zone and daylight savings time (DST) information, which may be necessary in converting UTC timestamps to local time. DST does not affect UTC time, but it can play a significant role in determining local time. HKLMSYSTEMCurrentControlSetControlTimeZoneInformation (Windows 7) Autorun Locations Autorun Locations are common locations where programs or applications are launched During the boot process. HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLM Software MicrosoftWindowsCurrentVersionRunOnceEx (Windows XP) HKLM Software MicrosoftWindowsCurrentVersionRunServices (Windows XP) HKLM Software MicrosoftWindowsCurrentVersionRunServicesOnce (Windows XP)
HKCUSoftwareMicrosoftwindowsCurrentVersionRun HKCUSoftwareMicrosoftwindowsCurrentVersionRunOnce
MRU Lists MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other sub keys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension. A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their Function is similar to how the history and cookies act in a web browser. XP Search Files This key contains recent search terms using Windows default search. Sub key 5603 contains search terms for finding folders and filenames, while sub key 5604 contains search terms for finding words or phrases in a file (i.e. Windows XP) XP Search Files SoftwareMicrosoftSearch AssistantACMru5603 Internet Search Assistant SoftwareMicrosoftSearch AssistantACMru5001 Printers, Computers and People SoftwareMicrosoftSearch AssistantACMru5647 Pictures, music, and videos SoftwareMicrosoftSearch AssistantACMru5604 HKCUSoftwareMicrosoftSearch AssistantACMru5603 (Windows XP) Windows Start Menu – Recent Docs This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%Recent (My Recent Documents). The key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective sub keys
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.pdf (Windows 8) Remote Desktop Information You log on to a remote Microsoft Windows Server 2003 Service Pack 1 (SP1)-based terminal server from a client computer that is running a Japanese. Version of Microsoft Windows XP.The terminal server uses a Microsoft Global Input Method Editor (IME) keyboard layout. The terminal server IME keyboard layout differs from the client computer when you remotely log on to a Windows Server 2003 Service Pack 1-based terminal serve If the imjp81.ime registry entry contains a value, the client computer sends the value to the terminal server. However, the imjp81.ime registry entry uses a default Value of "null." The client computer incorrectly assumes that "null" is a valid file name Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require That you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To work around this problem, follow these steps on each client computer: 1. Click Start, click Run, type regedit, and then click OK. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftTerminal Server ClientIME Mapping TableJPN 3. Right-click the imjp81.ime entry, and then click Modify. 4. Clear the Value data text box, and then click OK. 5. Exit Registry Editor.
HKLMSoftwareMicrosoftTerminal Server ClientIME Mapping TableJPN (Windows 7) Run dialog box This key maintains a list of entries (e.g. full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run commands. The MRUList value maintains a list of alphabets which refer to the respective values. The alphabets are arranged according to the order the entries is being added. However, most recently added entry does not imply most recently used command as suspect may have reexecuted previous commands. Windows does not modify the key Last Write time or MRUList if there is an existing entry in the key. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU
Regedit - Last accessed key WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegedit Regedit - Favorites HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegeditFavorites
MS Paint - Recent Files MS Paint lets you create and edit drawings and scanned photos. If you are writing text, then it should display a toolbar, which has fonts, style and size. If it does not, then the setting has to be changed in the registry. For this, go to Start > Run menu, enter “regedit” and navigate to the registry path listed below. If the sub key “CurrentVersionAppletsPaintText” is not present, create it as explained below. Then, create a DWORD value name “ShowTextTool”, if this value does not exist. Now, right- click and modify the value data box with “1” to enable the setting. Below figure Shows us previous used files list. HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsPaintRecentFileList (Windows 8) Mapped Network Drives The followingkeyscontaindrive maphistory: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU Installed Application List Each sub key in this key represent an installed program in the computer. All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed sub keys. However, they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each sub key usually contains these two common registry values. Display Name (program name) and Uninstall String (application Uninstall component’s file path, which indirectly refers to application installation path). Other possible useful registry values may exist, which include information on install date, install source and application version. HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall
Command Processor This key has a registry value named Auto run, which could contain command that is automatically executed each time cmd.exe is run. However, modification to this key requires administrative privilege. Malware exploits this feature to load itself without user’s knowledge. Suspect could also covertly run a malicious program under the cover of cmd.exe, by setting the Auto run data to the executable file path. HKCUSoftwareMicrosoftCommand Processor WordPad - Recent Files WordPad stores a list of recently accessed files in the Jump List and in the Registry under: HKCUSoftwareMicrosoftWindowsCurrentVersionAppetsWordpadRecent File List
Common Dialog – Last visited MRU This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination path; if a file is opened, the folder path refers to the file source path. New registry value will only be created to this key, if no existing registry values contain the program executable filename. However, if there is a matching executable filename in the existing values, only the folder path section of the related registry value is updated. HKCUSoftwareMicrosoftWindowsCurretversionExplorerComDig32LastVisitedPidMRU Common Dialog – Open/Save MRU MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension. (i.e. .pdf and .sys)
(.pdf files)HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDig32 OpenSavePidMRUpdf (.sys files)HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComDig32 OpenSavePidMRUsys
EXE to main window title cache It’s useful to know what folks are running on a system, and this might give us an idea what an exe is before our run it our self. HKCUSoftwareClassesLocal settingMuiCache PowerPoint - Recent Files This Registry key store the file name and location of office power point document which are used most recently HKCUSoftwareMicrosoftOffice15.0PowerPointFile MRU
Word- Recent Files This Registry key store the file name and location of Microsoft office Word document which are used most recently. HKCUSoftwareMicrosoftOffice15.0WordFile MRU UserAssist This key contains two or more subkeys, which have long hexadecimal names or globally Unique identifiers (GUIDs) and beneath each GUID is a sub key called Count. The Count Sub key contains recorded values that pertain to objects the user has accessed on the System, such as Control Panel applets, shortcut files, programs, documents, media, etc. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
Memory Management –paging This key maintains Windows virtual memory (paging file) configuration. The paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns. By default, windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file clearing during system shutdown (Microsoft, 2003). Forensic investigator should check this value before shutting down a suspect computer during evidence collection process. HKLMSystemCurrentControlSetControlSession ManagerMemory Management Existing Services This key contains list of Windows services.Eachsub key representsa service and contains service’s information such as startup configuration and executable image path. Some malware or important software such as Oracle 11g R2 will install itself as service. Thus, it leaves trace in this key HKLMSystemCurrentControlSetServices
HKLMSystemCurrentControlSetServicesOracle11Preference Image File Execution Option This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program. Modification to this key requires administrative privilege. Suspect could exploit this feature to launch a completely different program under the cover of the initial program. First, suspect creates a sub key named for example, notepad.exe (taskmgr.exe, compmgmt.msc or any benign looking executable). Then under the sub key notepad.exe, suspect creates a new string (REG_SZ) value named Debugger, and directs it to an undercover program (e.g. C:Windowssystem32telnet.exe). When the suspect executes notepad.exe, telnet client is launched instead of Notepad. If the suspect runs notepad.exe through Windows Run for instance, its history list will only shows notepad.exe.Thus, suspectcould use this technique to deceive forensic examiner. Suspect could also redirect the initial program to a Trojan version of the program which launches a backdoor whenever the initial program is run. Malware exploits this feature to load itself without user's knowledge HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
Last logged on user We know who logged in last, and may also give us a user name to attack if we are a pen-tester. HKLMSoftwareMicrosoftMicrosoftWindows NTCurrentVersionWinlogon Wireless Network A wireless Ethernet card picks up wireless access points within its range, which are Identified by their SSID or Service Set Identifier. When an individual connects to a Network or hotspot the SSID is logged within Windows XP as a preferred network Connection. HKLMSOFTWAREMicrosoftWZCSVCParametersInterfaces This key contains wireless network information for adapter using Windows Wireless Zero Configuration Service. Under the GUID sub key, there are binary registry values named Static#0000, Static#0001, etc. (depending on the number of listed SSID) which correspond to the respective list of SSID in .Preferred Networks. Box in Wireless Network Connection configuration. The registry value contains the SSID name in binary form. If registry value Active Settings contains an SSID name, it may signify last connected SSID. However, the result is not consistent when tested. If suspect connect to wireless networks using other3rd party program that is usually bundled with the network adapter, instead of using Wireless Zero Configuration, no trace is left on this key. Forensic examiner can use this key with the previous network adapter GUID key to determine the last assigned IP address. HKLMSoftwareMicrosoftWZCSVCParametersInterfaces (Windows XP)
HKLMSoftwareMicrosoftWindowsWlansvcInterfaces (windows 7) In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP server, domain, subnet mask, Etc. HKLMSYSTEMControlSet001 ServicesTcpipParametersInterfaces Below this key there also may be GUID subkeys, as mentioned above. It’s also important to note that there are timestamps associated with some of the values in this key. One, for example, is LeaseObtainedTime. This is the time in which the IP address was obtained from the DHCP server. If the computer is using vendor software to manage wireless connections then there May be additional locations where this information is stored, depending on the vendor. HKLMSystemControlSet001ServicesTcpipparametersInterfaces
LAN Computers Windows XP implements a network mapping tool called My Network Place, which allows computers to easily find other computers within a LAN or Local Area Network. A computer on a properly configured LAN will record the Computer Name of all the computers on that network. Even after the computer is no longer connected to the LAN, the list of devices that have ever connected to that system still remains, including desktop computers, laptops, and printers. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComputerDescriptions USB Devices Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device’s information is stored in the Registry (i.e., thumb drives, cameras, etc.). The following key contains subkeys that represent the device descriptor (Vendor ID, Product ID and Revision) of any USB device that has been connected to the system. Beneath each of these device descriptors is the Device ID, which is also a serial number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAC address of a network interface card. Therefore, a particular USB device can be identified as to whether or not it has been connected to other Windows systems. HKLMSystemControlSet001EnumUSBSTOR
HKLMSystemControlSet001EnumUSB Mounted Devices This key makes it possible to view each drive associated with the system. It stores a database of mounted volumes that is used by the NTFS file system. HKLMSYSTEMMountedDevices HKLMSystemMountedDevices
The first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, values name. This key find user that used the unique USB device. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 This GUID will be used next to identify the user that plugged in the device. The last time the device was plugged into the machine by that user’s personal Mount point’s key in the NTUSER.DAT Hive. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2....AutorunDefaultIcon HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2...AutorunDefaultLabel
Volume Serial Number Discover the volume serial number of the file system partition on the USB.Here we can knowing both the volume serial number and the volume name we can correlate the data across SHORTCUT file (LNK) analysis and the recentdocs key. The shortcut file (LNK) contains the volume serial Number and name. RecentDocs Registry key in most cases, will contain the volume name when the “USB Device” is opened via Explorer. HKLMSoftwareMicrosoftWindows NTCurrent VersionEMDMgmt Internet Explorer Internet Explorer stores its data in one key and has three subkeys within it that holds the Majority of useful information. HKCUSoftwareMicrosoftInternet Explorer The first sub key, Main, stores the user’s settings in Internet Explorer. It contains information like search bars, start page, form settings, etc. There is a form within this key that is interesting and pertains to the next section on Windows passwords. The form is called “Form Suggest PW Ask.” If this value is “yes,” then it is a good indicator that they have the Windows AutoComplete password feature enabled. If the user has unchecked the box to not ever remember passwords, then this value would be “no” and would not save the user’s passwords. These passwords are saved in the SPW (SavedPassWords) key, which is discussed in the next section. HKCUSoftwareMicrosoft Internet ExplorerMain This next location stores all URLs that a user has typed into the address field of the web browser. HKCUSoftwareMicrosoft Internet ExplorerTypedURLs If the user clears the history within the Internet Options window, it will delete the TypedURLs key entirely and it will not be recreated until a URL is typed into the address field again.
HKCUSoftwareMicrosoftInternet Explorer HKCUSoftwareMicrosoftInternet ExplorerMain
HKCUSoftwareMicrosoftInternet ExplorerTypedURLs Windows Passwords As stated above, if “Form Suggest PW Ask” within the Internet ExplorerMain key contains a “yes” value and the user tells the system to remember the password when they are prompted, then these Internet Explorer AutoComplete passwords are stored in the following key: HKCUSoftwareMicrosoftInternet ExplorerIntelliFormsSPW If “Form Suggest PW Ask” contains a “yes” value and the user selects the AutoComplete option to NOT remember the password, the password is still logged in the Registry because the OS needs to refer to it in order to know not to ask the user to remember it again. These passwords consist of Internet Explorer protected sites, MSN Explorer, AutoComplete, and Outlook passwords. Passwords stored in either of these keys are encrypted by the Operating System. They are stored in the following key: HKCUSoftwareMicrosoftProtected Storage System Provider
MSN Messenger or Windows Live Messenger Windows Messenger, MSN Messenger, and Windows Live Messenger (which is the new MSN) generally utilize any of the three following keys: HKEY_CURRENT_USERSoftwareMicrosoftMessengerService HKEY_CURRENT_USERSoftwareMicrosoftMSNMessenger HKEY_LOCAL_MACHINESOFTWAREMicrosoftMessengerService HKLMSoftwareMicrosoftMessenger serviceSession ManagerApps Application Compatibility Cache Windows application Compatibility database is used by windows to identify possible application compatibly challenged with executable. Tracks the executable file name, file size, last modified time and in windows XP/7/8 the last update time. HKLMSystemCurrentControlSetControlSessionManagerAppCompatibility (Win XP) HKLMSystemCurrentControlSetControlSession ManagerAppCompatCache (Windows 7) Any executable run on the windows system could be found in this key. We can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time based data you might be able to determine the last time of execution or activity on the system.  Windows XP Contain at Most 96 entries -Last Update Time is updated when the files are executed  Windows 7 Contain at most 1024 entries -Last Update Time does not exist on Win 7 Systems
HKLMSystemCurrentControlSetControlSession ManagerAppCompatCache Shell Bags It can track user windows viewing preferences to windows explorer. It can be utilized to tell if activity occurred in a folder. In some cases you can see the files from a specific folder as well HKCRLocal settingsSoftwareMicrosoftWindowsShellBagMRU HKCRLocal settingsSoftwareMicrosoftWindowsShellBags HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBagMRU HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBag HKUS…………………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBagMRU HKUS…………………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBag Interpretation: Store information about which folders were most recently browsed by the user. HKCRLocal settingsSoftwareMicrosoftWindowsShellBagMRU
HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBagMRU HKUS……………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBagMRU
HKUS……………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBag Network History In it identification of networks that the computer has been connected to networks could be wireless or wired. It also identify domain name/internet name and identify SSID, Identify Gateway MAC Address Network Card details HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkCards Network List HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListDefaultMediaCost (Windows 8) HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNewNetworks HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNia HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNiaCache HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNiaWireless HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListProfiles HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListSignaturesManaged HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListSignaturesUnmanaged Interpretation:  Identifying intranets and networks that a computer has connected to it is incredibly important.  Not only can we tell the intranet name, we can get last time the network was connected to base on the last write time of the key  This will also list any networks that have been connected to via VPN  MAC Address ofSSID for Gateway could be physically triangulated
HKLMSoftwareMicrosoftWindows NTCurrentVersionNetWorkcards HKLMSoftwareMicrosoftWindows NTCurrentVersionNetworkListDefaultMediaCost (Windows 8)
HKLMSoftwareMicrosoftWindowsNTCurrentVersionNetworkListProfiles (Details of Wifi hotspot) HKLMSoftwareMicrosoftWindows NTCurrentVersionNetworkListManaged
HKLMSoftwareMicrosoftWindows NTCurrentVersionNetworkListUnmanaged Shared file on LAN or Network HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerShares HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerSharesSecurity HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerShares Thank you very much for your time. Contact details: Himanshu D. Patel hpatel0734@gmail.com

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensicsPrince Boonlia
 
Windows forensic
Windows forensicWindows forensic
Windows forensicMD SAQUIB KHAN
 
Windows Registry
Windows RegistryWindows Registry
Windows Registryprimeteacher32
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts MD SAQUIB KHAN
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry ForensicsSomesh Sawhney
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registryaradhanalaw
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry EditorSanjeev Kumar Jaiswal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 

More Related Content

What's hot

Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxGaganvirKaur
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registryaradhanalaw
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry EditorSanjeev Kumar Jaiswal
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

What's hot (20)

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Lecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptxLecture4 Windows System Artifacts.pptx
Lecture4 Windows System Artifacts.pptx
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Encase Forensic
Encase ForensicEncase Forensic
Encase Forensic
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imager
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Presentation on basics of Registry Editor
Presentation on basics of Registry EditorPresentation on basics of Registry Editor
Presentation on basics of Registry Editor
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 

Viewers also liked

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Bios and cmos
Bios and cmosBios and cmos
Bios and cmosOnline
 
BIOS basic input output system
BIOS basic input output systemBIOS basic input output system
BIOS basic input output systemVipul Buchade
 
Bios ( Basic Input Output System )
Bios ( Basic Input Output System )Bios ( Basic Input Output System )
Bios ( Basic Input Output System )Jesthine Nesshal
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 

Viewers also liked (9)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Presentacion del bios
Presentacion del biosPresentacion del bios
Presentacion del bios
 
Bios and cmos
Bios and cmosBios and cmos
Bios and cmos
 
Bios
BiosBios
Bios
 
BIOS basic input output system
BIOS basic input output systemBIOS basic input output system
BIOS basic input output system
 
Bios
BiosBios
Bios
 
Bios ( Basic Input Output System )
Bios ( Basic Input Output System )Bios ( Basic Input Output System )
Bios ( Basic Input Output System )
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 

Similar to Windows Registry Analysis

Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSIONFORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSIONIJNSA Journal
 
Windows registry troubleshooting (2015)
Windows registry troubleshooting (2015)Windows registry troubleshooting (2015)
Windows registry troubleshooting (2015)James Konol
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2KapiL RawaT
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.pptJamelPandiin2
 
Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems kuldeepy60
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012Rian Yulian
 
Seminar Topic Registry (M.Tech)
Seminar Topic Registry (M.Tech) Seminar Topic Registry (M.Tech)
Seminar Topic Registry (M.Tech) Yashpal Rathore
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2New Era University
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration toolsDuggesh Talawar
 
M.c.a. (sem ii) operating systems
M.c.a. (sem ii) operating systemsM.c.a. (sem ii) operating systems
M.c.a. (sem ii) operating systemsTushar Rajput
 

Similar to Windows Registry Analysis (20)

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSIONFORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
 
Windows registry troubleshooting (2015)
Windows registry troubleshooting (2015)Windows registry troubleshooting (2015)
Windows registry troubleshooting (2015)
 
Computer Systems Hardware
Computer Systems HardwareComputer Systems Hardware
Computer Systems Hardware
 
Operating systems
Operating systemsOperating systems
Operating systems
 
Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2Itk rawa t____operatingsystems2
Itk rawa t____operatingsystems2
 
Section02-Structures.ppt
Section02-Structures.pptSection02-Structures.ppt
Section02-Structures.ppt
 
Perfect Papers Software
Perfect Papers SoftwarePerfect Papers Software
Perfect Papers Software
 
Operatingsystem
Operatingsystem Operatingsystem
Operatingsystem
 
Operatingsystems
Operatingsystems Operatingsystems
Operatingsystems
 
Windows xp
Windows xpWindows xp
Windows xp
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Seminar Topic Registry (M.Tech)
Seminar Topic Registry (M.Tech) Seminar Topic Registry (M.Tech)
Seminar Topic Registry (M.Tech)
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
Operating system
Operating systemOperating system
Operating system
 
Computer softwre
Computer softwreComputer softwre
Computer softwre
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration tools
 
IMD 203 - Ch02
IMD 203 - Ch02IMD 203 - Ch02
IMD 203 - Ch02
 
M.c.a. (sem ii) operating systems
M.c.a. (sem ii) operating systemsM.c.a. (sem ii) operating systems
M.c.a. (sem ii) operating systems
 

Recently uploaded

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 

Recently uploaded (20)

Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 

Windows Registry Analysis

  • 1. WINDOWS REGISTRY Analysis Windows 9x/ME, Windows CE, Windows NT/2000/XP/2003, Windows7/8 store configuration data in registry. It is a central repository for configuration data that is stored in a hierarchical manner.System, users, applications and hardware in Windows make use of the registry to store their configuration and it is constantly accessed for reference during their operation. The registry is introduced to replace most text-based configuration files used in Windows 3.x and MS- DOS, such as .ini files, autoexec.bat and config.sys. Due to the vast amount of information stored in Windows registry, the registry can be an excellent source for potential evidential data. For instance, windows registry contains information on user accounts, typed URLs, network shared, and Run command history. Aspects discussed in this paper are based on Windows XP (Service Pack 2) Windows 7 and windows 8 registry. The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on your computer. Windows continually refers to the information in the registry. We should not need to make manual changes to the registry because programs and applications typically make all the necessary changes automatically. An incorrect change to your computer's registry could render your computer inoperable. However, if a corrupt file appears in the registry, you might be required to make changes. We strongly recommend that you back up the registry before making any changes and that you only change values in the registry that you understand or have been instructed to change by a source you trust. Five root keys exist:  HKLM: HKEY_LOCAL_MACHINE (Computer-specific data)  HKU: HKEY_USERS (User-specific data)  HKCR: HKEY_CLASSES_ROOT (application settings,file associations,class registrations for COM objects) » Link to HKLMSoftwareClasses  HKCC: HKEY_CURRENT_CONFIG (Current hardware conf.) » Link to HKLMSystemCurrentControlSetHardware ProfilesCurrent  HKCU: HKEY_CURRENT_USER (Current user's data) » Link to HKU<SID of current user>  File locations:  HKLMSAM %SYSTEMROOT%System32configSAM  HKLMSecurity %SYSTEMROOT%System32configSECURITY  HKLMSoftware %SYSTEMROOT%System32configsoftware  HKLMSystem %SYSTEMROOT%System32configsystem  HKLMHardware stored in memory only – non on disk!  HKU.Default %SYSTEMROOT%System32configdefault  HKUSID %USERPROFILE%NTUSER.DAT  HKUSID_Classes %USERPROFILE%Local Settings Application DataMicrosoftWindowsUsrClass.dat
  • 2.  Registry files and their typical content:  NTUSER.DAT Protected storage for user, MRU lists, User’s preference settings.  DEFAULT System settings set during initial install of operating system.  SAM Security settings and user account management.  SECURITY Security settings.  SOFTWARE all installed programs on the system and their settings associated with them.  SYSTEM System settings. REGISTRY STRUCTURE Windows Structure Logical view key(Windows 7)
  • 3. FORENSIC-RELETED REGISTRYKEYS Time Zone Information The TZI key is a critical reference for supporting a consistent timeline of evidence. There are certain values contained within this key that can help determine time zone and daylight savings time (DST) information, which may be necessary in converting UTC timestamps to local time. DST does not affect UTC time, but it can play a significant role in determining local time. HKLMSYSTEMCurrentControlSetControlTimeZoneInformation (Windows 7) Autorun Locations Autorun Locations are common locations where programs or applications are launched During the boot process. HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLMSoftwareMicrosoftWindowsCurrentVersionpoliciesExplorerRun HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKLM Software MicrosoftWindowsCurrentVersionRunOnceEx (Windows XP) HKLM Software MicrosoftWindowsCurrentVersionRunServices (Windows XP) HKLM Software MicrosoftWindowsCurrentVersionRunServicesOnce (Windows XP)
  • 5. MRU Lists MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box) (Microsoft, 2002). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other sub keys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension. A “Most Recently Used List” contains entries made due to specific actions performed by the user. There are numerous MRU list locations throughout various Registry keys. These lists are maintained in case the user returns to them in the future. Essentially, their Function is similar to how the history and cookies act in a web browser. XP Search Files This key contains recent search terms using Windows default search. Sub key 5603 contains search terms for finding folders and filenames, while sub key 5604 contains search terms for finding words or phrases in a file (i.e. Windows XP) XP Search Files SoftwareMicrosoftSearch AssistantACMru5603 Internet Search Assistant SoftwareMicrosoftSearch AssistantACMru5001 Printers, Computers and People SoftwareMicrosoftSearch AssistantACMru5647 Pictures, music, and videos SoftwareMicrosoftSearch AssistantACMru5604 HKCUSoftwareMicrosoftSearch AssistantACMru5603 (Windows XP) Windows Start Menu – Recent Docs This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %USERPROFILE%Recent (My Recent Documents). The key contains local or network files that are recently opened and only the filename in binary form is stored. It has similar grouping as the previous OpenSaveMRU key, opened files are organized according to file extension under respective sub keys
  • 6. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRecentDocs.pdf (Windows 8) Remote Desktop Information You log on to a remote Microsoft Windows Server 2003 Service Pack 1 (SP1)-based terminal server from a client computer that is running a Japanese. Version of Microsoft Windows XP.The terminal server uses a Microsoft Global Input Method Editor (IME) keyboard layout. The terminal server IME keyboard layout differs from the client computer when you remotely log on to a Windows Server 2003 Service Pack 1-based terminal serve If the imjp81.ime registry entry contains a value, the client computer sends the value to the terminal server. However, the imjp81.ime registry entry uses a default Value of "null." The client computer incorrectly assumes that "null" is a valid file name Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require That you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To work around this problem, follow these steps on each client computer: 1. Click Start, click Run, type regedit, and then click OK. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftTerminal Server ClientIME Mapping TableJPN 3. Right-click the imjp81.ime entry, and then click Modify. 4. Clear the Value data text box, and then click OK. 5. Exit Registry Editor.
  • 7. HKLMSoftwareMicrosoftTerminal Server ClientIME Mapping TableJPN (Windows 7) Run dialog box This key maintains a list of entries (e.g. full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run commands. The MRUList value maintains a list of alphabets which refer to the respective values. The alphabets are arranged according to the order the entries is being added. However, most recently added entry does not imply most recently used command as suspect may have reexecuted previous commands. Windows does not modify the key Last Write time or MRUList if there is an existing entry in the key. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU
  • 8. Regedit - Last accessed key WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegedit Regedit - Favorites HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegeditFavorites
  • 9. MS Paint - Recent Files MS Paint lets you create and edit drawings and scanned photos. If you are writing text, then it should display a toolbar, which has fonts, style and size. If it does not, then the setting has to be changed in the registry. For this, go to Start > Run menu, enter “regedit” and navigate to the registry path listed below. If the sub key “CurrentVersionAppletsPaintText” is not present, create it as explained below. Then, create a DWORD value name “ShowTextTool”, if this value does not exist. Now, right- click and modify the value data box with “1” to enable the setting. Below figure Shows us previous used files list. HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsPaintRecentFileList (Windows 8) Mapped Network Drives The followingkeyscontaindrive maphistory: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU
  • 10. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU Installed Application List Each sub key in this key represent an installed program in the computer. All programs listed in Control Panel>Add/Remove Programs correspond to one of the listed sub keys. However, they are other installed programs (e.g. device driver, Windows patch) that are not listed in Add/Remove Programs. Each sub key usually contains these two common registry values. Display Name (program name) and Uninstall String (application Uninstall component’s file path, which indirectly refers to application installation path). Other possible useful registry values may exist, which include information on install date, install source and application version. HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall
  • 11. Command Processor This key has a registry value named Auto run, which could contain command that is automatically executed each time cmd.exe is run. However, modification to this key requires administrative privilege. Malware exploits this feature to load itself without user’s knowledge. Suspect could also covertly run a malicious program under the cover of cmd.exe, by setting the Auto run data to the executable file path. HKCUSoftwareMicrosoftCommand Processor WordPad - Recent Files WordPad stores a list of recently accessed files in the Jump List and in the Registry under: HKCUSoftwareMicrosoftWindowsCurrentVersionAppetsWordpadRecent File List
  • 12. Common Dialog – Last visited MRU This key correlates to the previous OpenSaveMRU key to provide extra information. Whenever a new entry is added to the previous OpenSaveMRU key, registry value is created or updated in this key. Each binary registry value under this key contains a recently used program executable filename, and the folder path of a file to which the program has been used to open or save it. If a file is saved, the folder path refers to the saved file destination path; if a file is opened, the folder path refers to the file source path. New registry value will only be created to this key, if no existing registry values contain the program executable filename. However, if there is a matching executable filename in the existing values, only the folder path section of the related registry value is updated. HKCUSoftwareMicrosoftWindowsCurretversionExplorerComDig32LastVisitedPidMRU Common Dialog – Open/Save MRU MRU is the abbreviation for most-recently-used. This key maintains a list of recently opened or saved files via typical Windows Explorer-style common dialog boxes (i.e. Open dialog box and Save dialog box). For instance, files (e.g. .txt, .pdf, htm, .jpg) that are recently opened or saved files from within a web browser (including IE and Firefox) are maintained. However, documents that are opened or saved via Microsoft Office programs are not maintained. Sub key * contains the full file path to the 10 most recently opened/savedfiles. Other subkeys in OpenSaveMRU contain far more entries related to previously opened or saved files (including the 10 most recent ones), which are grouped accordingly to file extension. (i.e. .pdf and .sys)
  • 14. EXE to main window title cache It’s useful to know what folks are running on a system, and this might give us an idea what an exe is before our run it our self. HKCUSoftwareClassesLocal settingMuiCache PowerPoint - Recent Files This Registry key store the file name and location of office power point document which are used most recently HKCUSoftwareMicrosoftOffice15.0PowerPointFile MRU
  • 15. Word- Recent Files This Registry key store the file name and location of Microsoft office Word document which are used most recently. HKCUSoftwareMicrosoftOffice15.0WordFile MRU UserAssist This key contains two or more subkeys, which have long hexadecimal names or globally Unique identifiers (GUIDs) and beneath each GUID is a sub key called Count. The Count Sub key contains recorded values that pertain to objects the user has accessed on the System, such as Control Panel applets, shortcut files, programs, documents, media, etc. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
  • 16. Memory Management –paging This key maintains Windows virtual memory (paging file) configuration. The paging file (usually C:pagefile.sys) may contain evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when the computer shutdowns. By default, windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file clearing during system shutdown (Microsoft, 2003). Forensic investigator should check this value before shutting down a suspect computer during evidence collection process. HKLMSystemCurrentControlSetControlSession ManagerMemory Management Existing Services This key contains list of Windows services.Eachsub key representsa service and contains service’s information such as startup configuration and executable image path. Some malware or important software such as Oracle 11g R2 will install itself as service. Thus, it leaves trace in this key HKLMSystemCurrentControlSetServices
  • 17. HKLMSystemCurrentControlSetServicesOracle11Preference Image File Execution Option This key allows administrator to map an executable filename to a different debugger source, allowing user to debug a program using a different program. Modification to this key requires administrative privilege. Suspect could exploit this feature to launch a completely different program under the cover of the initial program. First, suspect creates a sub key named for example, notepad.exe (taskmgr.exe, compmgmt.msc or any benign looking executable). Then under the sub key notepad.exe, suspect creates a new string (REG_SZ) value named Debugger, and directs it to an undercover program (e.g. C:Windowssystem32telnet.exe). When the suspect executes notepad.exe, telnet client is launched instead of Notepad. If the suspect runs notepad.exe through Windows Run for instance, its history list will only shows notepad.exe.Thus, suspectcould use this technique to deceive forensic examiner. Suspect could also redirect the initial program to a Trojan version of the program which launches a backdoor whenever the initial program is run. Malware exploits this feature to load itself without user's knowledge HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
  • 18. Last logged on user We know who logged in last, and may also give us a user name to attack if we are a pen-tester. HKLMSoftwareMicrosoftMicrosoftWindows NTCurrentVersionWinlogon Wireless Network A wireless Ethernet card picks up wireless access points within its range, which are Identified by their SSID or Service Set Identifier. When an individual connects to a Network or hotspot the SSID is logged within Windows XP as a preferred network Connection. HKLMSOFTWAREMicrosoftWZCSVCParametersInterfaces This key contains wireless network information for adapter using Windows Wireless Zero Configuration Service. Under the GUID sub key, there are binary registry values named Static#0000, Static#0001, etc. (depending on the number of listed SSID) which correspond to the respective list of SSID in .Preferred Networks. Box in Wireless Network Connection configuration. The registry value contains the SSID name in binary form. If registry value Active Settings contains an SSID name, it may signify last connected SSID. However, the result is not consistent when tested. If suspect connect to wireless networks using other3rd party program that is usually bundled with the network adapter, instead of using Wireless Zero Configuration, no trace is left on this key. Forensic examiner can use this key with the previous network adapter GUID key to determine the last assigned IP address. HKLMSoftwareMicrosoftWZCSVCParametersInterfaces (Windows XP)
  • 19. HKLMSoftwareMicrosoftWindowsWlansvcInterfaces (windows 7) In addition to logging the name of the SSID, Windows also logs the network settings of that particular connection – such as the IP address, DHCP server, domain, subnet mask, Etc. HKLMSYSTEMControlSet001 ServicesTcpipParametersInterfaces Below this key there also may be GUID subkeys, as mentioned above. It’s also important to note that there are timestamps associated with some of the values in this key. One, for example, is LeaseObtainedTime. This is the time in which the IP address was obtained from the DHCP server. If the computer is using vendor software to manage wireless connections then there May be additional locations where this information is stored, depending on the vendor. HKLMSystemControlSet001ServicesTcpipparametersInterfaces
  • 20. LAN Computers Windows XP implements a network mapping tool called My Network Place, which allows computers to easily find other computers within a LAN or Local Area Network. A computer on a properly configured LAN will record the Computer Name of all the computers on that network. Even after the computer is no longer connected to the LAN, the list of devices that have ever connected to that system still remains, including desktop computers, laptops, and printers. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerComputerDescriptions USB Devices Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device’s information is stored in the Registry (i.e., thumb drives, cameras, etc.). The following key contains subkeys that represent the device descriptor (Vendor ID, Product ID and Revision) of any USB device that has been connected to the system. Beneath each of these device descriptors is the Device ID, which is also a serial number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAC address of a network interface card. Therefore, a particular USB device can be identified as to whether or not it has been connected to other Windows systems. HKLMSystemControlSet001EnumUSBSTOR
  • 21. HKLMSystemControlSet001EnumUSB Mounted Devices This key makes it possible to view each drive associated with the system. It stores a database of mounted volumes that is used by the NTFS file system. HKLMSYSTEMMountedDevices HKLMSystemMountedDevices
  • 22. The first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. This key lists any volume that is mounted and assigned a drive letter, including USB storage devices and external DVD/CDROM drives. From the listed registry values, values name. This key find user that used the unique USB device. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 This GUID will be used next to identify the user that plugged in the device. The last time the device was plugged into the machine by that user’s personal Mount point’s key in the NTUSER.DAT Hive. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2....AutorunDefaultIcon HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2...AutorunDefaultLabel
  • 23. Volume Serial Number Discover the volume serial number of the file system partition on the USB.Here we can knowing both the volume serial number and the volume name we can correlate the data across SHORTCUT file (LNK) analysis and the recentdocs key. The shortcut file (LNK) contains the volume serial Number and name. RecentDocs Registry key in most cases, will contain the volume name when the “USB Device” is opened via Explorer. HKLMSoftwareMicrosoftWindows NTCurrent VersionEMDMgmt Internet Explorer Internet Explorer stores its data in one key and has three subkeys within it that holds the Majority of useful information. HKCUSoftwareMicrosoftInternet Explorer The first sub key, Main, stores the user’s settings in Internet Explorer. It contains information like search bars, start page, form settings, etc. There is a form within this key that is interesting and pertains to the next section on Windows passwords. The form is called “Form Suggest PW Ask.” If this value is “yes,” then it is a good indicator that they have the Windows AutoComplete password feature enabled. If the user has unchecked the box to not ever remember passwords, then this value would be “no” and would not save the user’s passwords. These passwords are saved in the SPW (SavedPassWords) key, which is discussed in the next section. HKCUSoftwareMicrosoft Internet ExplorerMain This next location stores all URLs that a user has typed into the address field of the web browser. HKCUSoftwareMicrosoft Internet ExplorerTypedURLs If the user clears the history within the Internet Options window, it will delete the TypedURLs key entirely and it will not be recreated until a URL is typed into the address field again.
  • 25. HKCUSoftwareMicrosoftInternet ExplorerTypedURLs Windows Passwords As stated above, if “Form Suggest PW Ask” within the Internet ExplorerMain key contains a “yes” value and the user tells the system to remember the password when they are prompted, then these Internet Explorer AutoComplete passwords are stored in the following key: HKCUSoftwareMicrosoftInternet ExplorerIntelliFormsSPW If “Form Suggest PW Ask” contains a “yes” value and the user selects the AutoComplete option to NOT remember the password, the password is still logged in the Registry because the OS needs to refer to it in order to know not to ask the user to remember it again. These passwords consist of Internet Explorer protected sites, MSN Explorer, AutoComplete, and Outlook passwords. Passwords stored in either of these keys are encrypted by the Operating System. They are stored in the following key: HKCUSoftwareMicrosoftProtected Storage System Provider
  • 26. MSN Messenger or Windows Live Messenger Windows Messenger, MSN Messenger, and Windows Live Messenger (which is the new MSN) generally utilize any of the three following keys: HKEY_CURRENT_USERSoftwareMicrosoftMessengerService HKEY_CURRENT_USERSoftwareMicrosoftMSNMessenger HKEY_LOCAL_MACHINESOFTWAREMicrosoftMessengerService HKLMSoftwareMicrosoftMessenger serviceSession ManagerApps Application Compatibility Cache Windows application Compatibility database is used by windows to identify possible application compatibly challenged with executable. Tracks the executable file name, file size, last modified time and in windows XP/7/8 the last update time. HKLMSystemCurrentControlSetControlSessionManagerAppCompatibility (Win XP) HKLMSystemCurrentControlSetControlSession ManagerAppCompatCache (Windows 7) Any executable run on the windows system could be found in this key. We can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time based data you might be able to determine the last time of execution or activity on the system.  Windows XP Contain at Most 96 entries -Last Update Time is updated when the files are executed  Windows 7 Contain at most 1024 entries -Last Update Time does not exist on Win 7 Systems
  • 27. HKLMSystemCurrentControlSetControlSession ManagerAppCompatCache Shell Bags It can track user windows viewing preferences to windows explorer. It can be utilized to tell if activity occurred in a folder. In some cases you can see the files from a specific folder as well HKCRLocal settingsSoftwareMicrosoftWindowsShellBagMRU HKCRLocal settingsSoftwareMicrosoftWindowsShellBags HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBagMRU HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShellBag HKUS…………………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBagMRU HKUS…………………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBag Interpretation: Store information about which folders were most recently browsed by the user. HKCRLocal settingsSoftwareMicrosoftWindowsShellBagMRU
  • 29. HKUS……………….SoftwareClassesLocal settingsSoftwareMicrosoftWindowsShellBag Network History In it identification of networks that the computer has been connected to networks could be wireless or wired. It also identify domain name/internet name and identify SSID, Identify Gateway MAC Address Network Card details HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkCards Network List HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListDefaultMediaCost (Windows 8) HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNewNetworks HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNia HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNiaCache HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListNiaWireless HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListProfiles HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListSignaturesManaged HKLMSoftwareMicrosoftwindowsNTCurrentVersionNetworkListSignaturesUnmanaged Interpretation:  Identifying intranets and networks that a computer has connected to it is incredibly important.  Not only can we tell the intranet name, we can get last time the network was connected to base on the last write time of the key  This will also list any networks that have been connected to via VPN  MAC Address ofSSID for Gateway could be physically triangulated
  • 31. HKLMSoftwareMicrosoftWindowsNTCurrentVersionNetworkListProfiles (Details of Wifi hotspot) HKLMSoftwareMicrosoftWindows NTCurrentVersionNetworkListManaged
  • 32. HKLMSoftwareMicrosoftWindows NTCurrentVersionNetworkListUnmanaged Shared file on LAN or Network HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerShares HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerSharesSecurity HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerShares Thank you very much for your time. Contact details: Himanshu D. Patel hpatel0734@gmail.com