Index
Note: Page numbers followed by “f” indicate figures, “t” indicate tables and “b” indicate boxes.
Admin cleanup, 139b
Adobe Reader, 158–159
Advanced persistent threats (APT), 51
AmCache hive, 123
“a00001ds” key contents, 126f
files key, 127–128
files value data, 128f
hashing tool, 126
primary interest, 124
ProgramID key contents, 127f
SHA-1 hash, 126b
Volume GUID key contents, 125f
on Windows 8, 129b
AmCache.hve, 20b
amcache.py Python script, 51
Antivirus (AV), 146
AppCompatFlags key, 119–121
AppInit_DLLs value, 114
Applets, 137–139
user’s applets key, 138f
Application compatibility assistant, 147–148
APT, See Advanced persistent threats (APT)
Artifact categories, 62–63
Audio devices, 123
Audit policy
auditpol.exe, 66
“auto_rip”, 188–189
Autorunsc.exe, 49b
AutoStart, 81
NTUSER.DAT, 134
“legacy” Run keys, 136–137
new values correlation, 134b–135b
Run key, 134–136
RunOnce key, 136
temporal proximity, 136b
software hive, 109
AppCompatFlags key, 119–121
AppInit_DLLs value, 114
BHOs, 117
Image File Execution Options key, 111–113
Notify key, 110–111
Run key, 109–110
shell extensions, 114–117
USRCLASS.DAT, 165–166
Windows Services, 81–87
AV, See Antivirus (AV)
BagMRU key, 170
BHOs, See Browser Helper Objects (BHOs)
Big data, 46
Binary Foray, 28b
Cain & Abel, 74–75
Cain.exe, 146
CentralProfile value, 102–103
Class identifier (CLSID), 145
ClearPagefileAtShutdown, 77–78
CLI, See Command line interface (CLI)
CLSID, See Class identifier (CLSID)
ComDlg32 key, 153
historical data, 156b
MS Paint, 155f
OpenSaveMRU, 153–154
OpenSavePidMRU, 154–156
Windows Vista, 154f
Comma-separated values (CSV), 185
Command line interface (CLI), 172b
Command line tools, 140b–141b
Core analysis concepts, 4
Locard’s exchange principle, 4–6
CSV, See Comma-separated values (CSV)
Current-ControlSet key, 75–77
“Cut-and-paste” approach, 185–186
CWDIllegalInDllSearch values, 112b
Data sources, 159b
Data structures, 33b
DateCreated values, 107
DateLastConnected values, 107–108
“Debugger” value, 112
Deleted keys and values, 57–59
Device class identifier, 91
Differencing, 56–57
Documentation, 11–12
DWORD, 24–25
Dynamically linked library (DLL), 178
Early launch anti-malware (ELAM), 20
End user license agreement (EULA), 139
Event Log records, 7–8
Explorer Tasks, 41–42
F-Response, 37
File access
NTUSER.DAT, 150
Adobe Reader, 158–159
application uses, 152b–153b
ComDlg32, 153–156
data sources, 159b
LiveID accounts, 157b
Microsoft Office File/Place MRUs, 156–157
Microsoft Word, 158b
Photos, 169–170
RecentDocs, 150–153
TrustRecords, 157–158
USRCLASS.DAT, 169
File associations, 164–165
File system settings, 80–81
File system tunneling, 2
File transfer protocol (FTP), 172–173
fileless.pl plugin, 89
Flags, 33
Forensic analysis, 39
deleted keys and values, 57–59
differencing, 56–57
memory, 59–60
parsers, 49
amcache.py Python script, 51
parsing tools, 50–52
pros and cons, 52
Python-based ShimCacheParser, 50
RegRipper, 52–53
Shellbags, 51
UserAssist data, 50
timeline analysis, 53
viewing registry hives, 39–49
Forensics Assist key, 141
FTP, See File transfer protocol (FTP)
GMT, See Greenwich Mean Time (GMT)
Greenwich Mean Time (GMT), 145b
GUI, See Graphical user interface (GUI)
GUIDs, See Globally unique identifiers (GUIDs)
handle.exe, 6–7
High Tech Crime Investigation Association (HTCIA), 168–169
HKEY_CLASSES_ROOT key, 22–23
HKEY_CURRENT_USER hive, 22
HKEY_CURRENT_USER SessionInformation key, 22
HKEY_LOCAL_MACHINE/Hardware key, 22
HKEY_LOCAL_MACHINESystem hive, 22
Identifier (ID), 91
IE, See Internet Explorer (IE)
Image File Execution Options key, 111–113
initialization files (ini files), 15
Internet Explorer (IE), 160
KB, See Knowledge Base (KB)
KnownDLLs, 114–115
LastKey value, 139b
LastVisitedMRU, 155
Least frequency of occurrence (LFO), 6–8
legacy.pl plugin, 87b
“Legacy” Run keys, 136–137
LFO, See Least frequency of occurrence (LFO)
LiveID accounts, 157b
Load Hive, 40
Local Security Policy, 65–66
Locard’s exchange principle, 4–6
MAC, See Medium access control (MAC)
Mac platforms, 38
Magic number, 29
Software hive, 122–123
Mapping devices to drive letters, 92
DiskClassGUID keys, 96f
excerpt of values, 93f
ParentIdPrefix value, 97
portable devices, 95b–96b
TrueCrypt volume, 95f
Unicode, 94
USBStor key, 96–97
usbstor.pl RegRipper plugin, 94
VolumeClassGUID keys, 97f
Master boot record (MBR), 94–95
MBR, See Master boot record (MBR)
Medium access control (MAC), 5–6
Memory, 59–60
“Metro” desktop, 169
Microsoft Developer Network (MSDN), 124b
Microsoft Malware Protection Center (MMPC), 109
Microsoft Office File/Place MRUs, 156–157
Microsoft Word, 158b
MiTeC, 41
Most recently used list (MRU list), 132–133
mountdev.pl plugin, 94
MRU list, See Most recently used list (MRU list)
MS, See Microsoft (MS)
MSDN, See Microsoft Developer Network (MSDN)
MuiCache key, 169
Mutex, 6
networcards.pl plugin, 104
Network Cards, 104
Network interfaces, 78
networklist.pl plugin, 108
NoInstrumentation, 147b
Notify key, 110–111
“ntreg.h”, 27
See also
USRCLASS.DAT hive
AutoStart, 134
“legacy” Run keys, 136–137
new values correlation, 134b–135b
Run key, 134–136
RunOnce key, 136
temporal proximity, 136b
file access, 150
Adobe Reader, 158–159
application uses, 152b–153b
ComDlg32, 153–156
data sources, 159b
LiveID accounts, 157b
Microsoft Office File/Place MRUs, 156–157
Microsoft Word, 158b
RecentDocs, 150–153
TrustRecords, 157–158
file associations, 164–165
malware, 149–150
MRUList value, 133
program execution, 137
admin cleanup, 139b
applets, 137–139
application compatibility assistant, 147–148
command line tools, 140b–141b
LastKey value, 139b
“PaintRecent File List” key, 138f
remote desktop tools, 149b
Terminal Server Client, 148–149
user’s applets key, 138f
UserAssist key, 141–147
versions of Windows, 142b
Vigenere encryption, 143b
Windows 7 UserAssist key, 142f
system configuration information, 133
user activity, 159
Object-oriented interface (OO interface), 27
OpenSaveMRU, 153–154
OpenSavePidMRU key, 154–155
OphCrack applications, 75
P2P, See Peer-to-peer (P2P)
“PaintRecent File List” key, 138f
ParentIdPrefix key, 92
Parse::Win32 Registry, 57–58
Parsers, 49
amcache.py Python script, 51
parsing tools, 50–52
pros and cons, 52
Python-based ShimCacheParser, 50
RegRipper, 52–53
Shellbags, 51
UserAssist data, 50
Partial WRR user interface, 43f
PE, See Portable executable (PE)
Peer-to-peer (P2P), 17b
PGP, See Pretty Good Privacy (PGP)
Photos, 169–170
Plug-and-Play (PnP), 90–91
Plugin Browser, 60
Plugins, 181–185
PnP, See Plug-and-Play (PnP)
Portable devices, 95b–96b
Portable executable (PE), 28
Prefetch settings, 81
Prefetching, 3
Pretty Good Privacy (PGP), 154–155
ProDiscover, 38
ProfileList key, 101
Profiles, 182
Program compatibility assistant (PCA), 147
Program execution, 87–88
AppCompatCache, 88–89
PSExec tool, 140
Python-based ShimCacheParser, 50
RAT, See Remote access Trojan (RAT)
RCFG, See Regional Computer Forensics Group (RCFG)
RDP, See Remote desktop protocol (RDP)
RecentDocs, 150–153
Windows XP, 151f
Redirection, 133b
regdiff.exe, 57
RegEdit, 40–41
exported hive loaded in, 42f
regedit.exe, 145–146
Regional Computer Forensics Group (RCFG), 168–169
Registry
Registry analysis
AmCache.hve, 20b
challenges, 12–15
core analysis concepts, 4–15
documentation, 11–12
goals, 10–11
least frequency of occurrence, 6–8
leaving trace, 5b
malware, 14b
remnants, 9–10
Windows, 8–9
Registry key(s)
create our own profiles, 187–188
creating new plugins, 185–187
description, 180f
e-mail, 190–191
extending, 188–189
Perl source code, 178
plugins, 181–185
metadata, 190f
profiles, 182
software, 189
static tool, 183
“superparser” for Windows Registry, 177–178
UI, 183f
RegShot, 56
regtime.exe tool, 54
Relative identifier (RID), 69–70
Remnants, 9–10
Remote desktop tools, 149b
RID, See Relative identifier (RID)
rip, 184
rip.pl, 60
RLO, See Right-to-left override (RLO)
rlo.pl plugin, 89
Routes, 78–80
routes.pl plugin, 90
RunOnce key, 136
SAM hive, 69
cracking user passwords, 74–75
disappearing user account, 73b
password not required, 72b–73b
“UserPasswordHint”, 70
Windows 7, 70f
SANS Investigative Forensic Toolkit (SIFT), 178–179
Searches, 161–164
Windows XP Search, 161f
Security hive, 63
Audit policy
FTK Imager, 69
GSecDump tool, 64
PolAcDmS key, 65
for Windows 7, 66
on Windows XP, 67–69
Security identifiers (SIDs), 64–65
“ServiceDll”, 84–85
Shell extensions, 114–117
nested Registry keys, 172
Registry hives, 173
RegRipper shellbags.pl plugin, 174
Windows 10 shellbags artifacts, 171f
Shiny object syndrome, 10
SIDs, See Security identifiers (SIDs)
sizes.pl plugin, 90
sleep() function, 83b–84b
soft_run.pl RegRipper plugin, 110
Software hive, 98–99
AutoStart, 109
AppCompatFlags key, 119–121
AppInit_DLLs value, 114
BHOs, 117
Image File Execution Options key, 111–113
Notify key, 110–111
Run key, 109–110
shell extensions, 114–117
malware, 122–123
program execution, 121
redirection, 99b
system configuration information, 100
Solitaire game, 131
ssid.pl plugin, 105–106
Steganography, 168–169
Syscache.hve, 24
ClearPagefileAtShutdown, 77–78
excerpt of network interface values, 79f
file system settings, 80–81
network interfaces, 78
prefetch settings, 81
right system, 77b
routes, 78–80
software hive, 100
Network Cards, 104
NTUSER.DAT hive, 100b–101b
ProfileList, 101–103
Windows version, 100–101
wireless connections, 104–109
system name, 77
System hive, 75
AutoStart, 81
Windows Services, 81–87
current RegRipper plugins, 76b
Current-ControlSet, 75–77
malware, 89–90
program execution, 87–88
AppCompatCache, 88–89
via RegEdit, 76f
system configuration information, 77
System name, 77
“System32”, 172
Temporal fingerprint, 64
Temporal proximity, 136b
Terminal Server Client, 148–149
Terminal Services Client, 112–113
Time stomping, 87b
Timeline analysis, 53
TrustRecords, 157–158
TypedPaths, 159–160
TypedURLS, 160–161
Universal Coordinated Time (UTC), 67
usbstor.pl RegRipper plugin, 92b
User activity
NTUSER.DAT file, 159
Searches, 161–164
TypedPaths, 159–160
TypedURLS, 160–161
writing to Registry, 160b
User hives
NTUSER.DAT, 132
AutoStart, 134–137
file access, 150–159
file associations, 164–165
malware, 149–150
MRUList value, 133
program execution, 137–149
system configuration information, 133
user activity, 159–164
Registry hives, 131
USRCLASS.DAT, 165
User passwords, cracking, 74–75
user_run.pl, 136
UserAssist key, 141
binary data, 144
Cain.exe, 146
Count key values, 143f
NoInstrumentation, 147b
Registry values, 147
RegRipper userassist.pl plugin, 144
UserAssist data, 50
userassist.pl RegRipper plugin, 142
Vigenere encryption, 143b
Windows XP, 142f
See also
NTUSER.DAT hive
AutoStart, 165–166
file access, 169
Photos, 169–170
program execution, 166–169
shellbags, 170–174
UTC, See Universal Coordinated Time (UTC)
“Value type” element, 33
Virtual machine (VM), 20b
Vista systems, 163
VM, See Virtual machine (VM)
Volatility plugins, 59–60
Volume Shadow Copies (VSCs), 56
WAP, See Wireless access point (WAP)
Windows, 8–9
Windows 10
Windows 7, 23b
data, 23–24
examples, 2
information in registry, 2
instructions and KB articles, 15–16
location on disk, 19–23
purpose, 16–17
settings, 3
structure, 25
values and system behavior, 3b
Windows Registry Recovery (WRR), 41–46
Windows Services, 81–82
emergency incident response, 83b–84b
EnumRootLEGACY_∗ keys, 85f
legacy.pl plugin, 87b
LEGACY_∗ entry, 87
LEGACY_∗ keys, 86
RegRipper, 83
“ServiceDll”, 84–85
side effect, 85
“time stomping”, 87b
on Windows systems, 82
services on, 82
Windows XP
LastVisitedMRU value, 156f
Recent Documents menu listing, 151f
Search, 161f
Search Assistant to ACMRu subkey mappings, 162f
UserAssist key, 142f
WinReg.txt, 27
Wireless connections, 104
connection properties, 105f
MAC address, 108–109
Managed and Unmanaged subkeys, 107
networklist.pl plugin, 108
by Windows, 105–106
wireless interface profile keys, 106f
wireless interface values, 107f
Wireless interface, 105–106
WordWheelQuery key, 163
WRR, See Windows Registry Recovery (WRR)
XPMode, 23b
ZBot infection, 111b
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.