Overview
Explore registry forensics techniques for investigating malware in this 44-minute conference talk from Louisville Infosec 2017. Delve into the Windows Registry's structure, terminology, and primary hives. Learn how registry analysis can aid in malware detection through examination of MuiCache, AppCompatCache, Amcache.hve, UserAssist, and Recent Apps. Discover persistence mechanisms and advanced techniques like Unicode RLO character manipulation and large registry value analysis. Investigate Shellbags and user activity for a comprehensive understanding of malware behavior and system interactions.
Syllabus
Intro
Outline
Why the Registry?
The Windows Registry
Progression of the Registry
Registry Terminology
Primary Hives Comprising the Registry
What can Registry Analysis Help Answer?
Detection: MuiCache
Detection: AppCompatCache
AppCompatCache Volatility Plugin
Detection: Amcache.hve
Amcache.hve Data
Detection: UserAssist
Detection: Recent Apps
Persistence
More Fun: Unicode RLO Character
More Fun: Large Registry Values
Investigation: Shellbags
Investigation: Activity
Conclusion