Explore techniques for mining valuable data from the Windows Registry in this 50-minute conference talk from Louisville Infosec 2014. Delve into registry terminology, primary hives, and the progression of the registry structure. Learn methods for extracting information from both offline hives and live systems. Discover how to uncover executed programs through UserAssist, MuiCache, and AppCompatCache analysis. Investigate file access history using RecentDocs, ComDlg32, and Office 2013 artifacts. Examine the significance of Shellbags in forensic investigations. Address anti-forensics tools like Privazer and CCleaner, and explore countermeasures such as timestomping detection. Gain practical insights into Windows Registry forensics for enhancing your information security skillset.
Overview
Syllabus
Intro
The Windows Registry
Registry Terminology
Primary Hives Comprising the Registry
Progression of the Registry
Extracting from Offline Hives
Extracting from Live System
Interesting Data Stored in the Registry
What programs have been executed?
Executed Programs: UserAssist
Parsing User Assist
Executed Programs: MuiCache
Executed Programs: AppCompatCache
What Files Have Been Accessed?
Accessed Files: RecentDocs
Accessed Files: ComDlg32
Accessed Files: Office 2013
Shellbags
Anti-Forensics/Cleaning Tools
Privazer Shellbag Cleaner
Effects of CCleaner/Privazer
Anti-Anti Forensics
Timestomping Registry Keys
Combating timestomped registry keys
Questions
