4. Registry hives are a standard format
Can be examined with numerous tools
(e.g.. RegistryBrowser, Registry Viewer, etc.)
Location of important registry hives:
▪ Usersuser_nameNTUSER.DAT
▪ WindowsSystem32configDEFAULT
▪ WindowsSystem32configSAM
▪ WindowsSystem32configSECURITY
▪ WindowsSystem32configSOFTWARE
▪ WindowsSystem32configSYSTEM
5. Emails & contacts are stored in .EML format
Can be analysed by a number of tools
Stored in the following directory:
Usersuser_nameAppDataLocalPackagesmicr
osoft.windowscommunicationsapps...LocalState
6. No longer stored in Index.dat files
IE history records stored in the following file:
Usersuser_nameAppDataLocalMicrosoftWind
owsWebCacheWebCacheV01.dat
▪ This is actually an .edb file
▪ Can be interpreted by EseDbViewer or ESEDatabaseView
7. Unified Communication (UC) is a built-in Microsoft application that brings together all of the
following social media platforms (by default):
Facebook Flickr
Google LinkedIn
MySpace Sina Weibo
Twitter Outlook
Messenger Hotmail
Skype Yahoo!
QQ AOL
Yahoo! JAPAN Orange
UC settings are stored in the following DB:
Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStatelivecom
m.edb
Locally cached entries (e.g. Email or Twitter messages) are stored in this directory:
Usersuser_nameAppDataLocalPackagesmicrosoft.windowscommunicationsapps…LocalStateIndexed
LiveComm
8. 3rd part applications are stored in the following directory:
Program FilesWindowsApps
Settings and configuration DBs are located in following
directories:
Usersuser_nameAppDataLocalPackagespackage_nameLo
calState
Two DB formats:
▪ SQLite DBs
▪ Jet DBs (.edb)
Registry key of installed applications:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren
tVersionAppxAppxAllUserStoreApplications
9. “Picture Password” is an alternate login method
where gestures on top of a picture are used as a
password
This registry key details the path to the location
of the “Picture Password” file:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurren
tVersionAuthenticationLogonUIPicturePassworduser_GUID
Path of locally stored Picture Password file:
C:ProgramDataMicrosoftWindowsSystemDatauser_GUIDR
eadOnlyPicturePasswordbackground.png