Note: Page numbers followed by “f” indicate figures, “t” indicate tables and “b” indicate boxes.
Advanced persistent threats (APT),
51
“a00001ds” key contents,
126f
ProgramID key contents,
127f
Volume GUID key contents,
125f
amcache.py Python script,
51
Application compatibility assistant,
147–148
Application programming interface (API),
18–19, 153
Artifact categories,
62–63
Audit policy
via Local Security Settings,
66f
on Windows 7 Ultimate system,
68f
Image File Execution Options key,
111–113
Browser Helper Objects (BHOs),
109, 117
Class identifier (CLSID),
145
ClearPagefileAtShutdown,
77–78
Comma-separated values (CSV),
185
Command line interface (CLI),
172b
Core analysis concepts,
Locard’s exchange principle,
4–6
Current-ControlSet key,
75–77
CWDIllegalInDllSearch values,
112b
“Dead box” analysis,
37, 59
Deleted keys and values,
57–59
Device class identifier,
91
Dynamic link library (DLL),
5b, 110
Dynamically linked library (DLL),
178
Early launch anti-malware (ELAM),
20
End user license agreement (EULA),
139
File access
Microsoft Office File/Place MRUs,
156–157
File system settings,
80–81
File system tunneling,
File transfer protocol (FTP),
172–173
deleted keys and values,
57–59
amcache.py Python script,
51
Python-based ShimCacheParser,
50
viewing registry hives,
39–49
Forensics Assist key,
141
Globally unique identifiers (GUIDs),
44, 141, 191
Graphical user interface (GUI),
15, 140, 178
Greenwich Mean Time (GMT),
145b
High Tech Crime Investigation Association (HTCIA),
168–169
HKEY_CLASSES_ROOT key,
22–23
HKEY_CURRENT_USER hive,
22
HKEY_CURRENT_USER SessionInformation key,
22
HKEY_LOCAL_MACHINE/Hardware key,
22
HKEY_LOCAL_MACHINESystem hive,
22
Image File Execution Options key,
111–113
initialization files (
ini files),
15
Internet Explorer (IE),
160
Knowledge Base (KB),
, 65, 136
Least frequency of occurrence (LFO),
6–8
Local Security Policy,
65–66
Locard’s exchange principle,
4–6
Mapping devices to drive letters,
92
MountedDevices key,
93, 93f
usbstor.pl RegRipper plugin,
94
VolumeClassGUID keys,
97f
Master boot record (MBR),
94–95
Medium access control (MAC),
5–6
Microsoft Developer Network (MSDN),
124b
Microsoft Malware Protection Center (MMPC),
109
Microsoft Office File/Place MRUs,
156–157
Most recently used list (MRU list),
132–133
Mutex,
networcards.pl plugin,
104
networklist.pl plugin,
108
Microsoft Office File/Place MRUs,
156–157
application compatibility assistant,
147–148
“PaintRecent File List” key,
138f
remote desktop tools,
149b
versions of Windows,
142b
Vigenere encryption,
143b
Windows 7 UserAssist key,
142f
system configuration information,
133
writing to Registry,
160b
Object-oriented interface (OO interface),
27
OphCrack applications,
75
“PaintRecent File List” key,
138f
Parse::Win32 Registry,
57–58
amcache.py Python script,
51
Python-based ShimCacheParser,
50
Partial WRR user interface,
43f
Plug-and-Play (PnP),
90–91
Portable executable (PE),
28
Prefetching,
changing user’s profile type,
103f, 103b
contents of ProfileList subkey,
102f
Program compatibility assistant (PCA),
147
Python-based ShimCacheParser,
50
exported hive loaded in,
42f
Regional Computer Forensics Group (RCFG),
168–169
Registry
values and system behavior,
3b
Viewer interface,
46, 47f
Registry analysis
core analysis concepts,
4–15
least frequency of occurrence,
6–8
Registry key(s)
structure with node ID and LastWrite time,
31f
“superparser” for Windows Registry,
177–178
Relative identifier (RID),
69–70
Remote access Trojan (RAT),
, 59, 82
Remote desktop tools,
149b
Right-to-left override (RLO),
52–53, 89
cracking user passwords,
74–75
disappearing user account,
73b
SANS Investigative Forensic Toolkit (SIFT),
178–179
Audit policy
via Local Security Settings,
66f
on Windows 7 Ultimate system,
68f
Security identifiers (SIDs),
64–65
nested Registry keys,
172
RegRipper shellbags.pl plugin,
174
Windows 10 shellbags artifacts,
171f
Shiny object syndrome,
10
soft_run.pl RegRipper plugin,
110
Image File Execution Options key,
111–113
system configuration information,
100
System configuration information,
77, 133
ClearPagefileAtShutdown,
77–78
excerpt of network interface values,
79f
file system settings,
80–81
current RegRipper plugins,
76b
Current-ControlSet,
75–77
system configuration information,
77
ClearPagefileAtShutdown,
77–78
excerpt of network interface values,
79f
file system settings,
80–81
mapping devices to drive letters,
92–98
Universal Coordinated Time (UTC),
67
mapping devices to drive letters,
92–98
usbstor.pl RegRipper plugin,
92b
User activity
writing to Registry,
160b
User hives
system configuration information,
133
User passwords, cracking,
74–75
RegRipper userassist.pl plugin,
144
userassist.pl RegRipper plugin,
142
Vigenere encryption,
143b
Virtual machine (VM),
20b
Volatility plugins,
59–60
Volume Shadow Copies (VSCs),
56
Event Logs,
Media Player File menu item,
18f
Windows 10
shellbags artifacts,
171f
examples,
information in registry,
instructions and KB articles,
15–16
Windows Media Player File menu item,
18f
settings,
registry hives and searches,
26b
registry key cells,
30–32
registry value cells,
32–34
values and system behavior,
3b
Windows Registry Recovery (WRR),
41–46
partial WRR user interface,
43f
windows installation info available via,
44f
emergency incident response,
83b–84b
EnumRootLEGACY_∗ keys,
85f
Windows XP
LastVisitedMRU value,
156f
Recent Documents menu listing,
151f
Search Assistant to ACMRu subkey mappings,
162f
Windowssystem32
config folder,
19–20
Wireless access point (WAP),
5–6, 104
Wireless connections,
104
connection properties,
105f
Managed and Unmanaged subkeys,
107
networklist.pl plugin,
108
wireless interface profile keys,
106f
wireless interface values,
107f