SlideShare a Scribd company logo

MindMap - Forensics Windows Registry Cheat Sheet

Juan F. Padilla
Juan F. Padilla

Mindmap sheet computer forensics of windows registry, to find evidence.

Engineering
1 of 1
Download to read offline
Windows Registry Hives HKEY_LOCAL_MACHINESAM(KEY) SAM HKEY_LOCAL_MACHINESecurity(KEY) SECURITY HKEY_LOCAL_MACHINESystem(KEY) SYSTEM HKEY_LOCAL_MACHINESoftware(KEY) SOFTWARE HKEY_USER(KEY) NTUSER.DAT Tools RegRipper YaruRecover delete Ubication %WinDir%System32Config SAM SECURITY SYSTEM SOFTWARE DEFAULT NTUSER.dat (XP) Documents and Settings<username>NTUSER.dat (Vista,Win7 y 8) Users<username>NTUSER.dat USRCLASS.dat(Vista,Win7 y 8) Users<username> NTUSER.dat Evidence NTUSER.DAT XP Search History SoftwareMicrosoftSearch AssistantACMru 5001 Search the Internet 5603 All or part of the filename 5604 A word or pase in a file 5647 Computers or people Recent Docs SoftwareMicrosoftWindowsCurre ntVersionExplorerRecentDocs Office Recent Docs SoftwareMicrosoft 10 Word FileMRU Excel PowerPoint 11 12 14 Dialog Boxes LastVisited Last path of file Opened Executable Used SoftwareMicrosoftWindowsCurre ntVersionExplorerComDI32 LastVisitedMRU LastVisitedPid1MRU OpenAndSave Save File Dialog Box Open File Dialog Box SoftwareMicrosoftWindowsCurre ntVersionExplorerComDI32 OpenSaveMRU OpenSavePidMRU Comands Executed SoftwareMicrosoftWindowsCurre ntVersionExplorerRunMRU SoftwareMicrosoftWindowsCurre ntVersionExplorerPoliciesRunMR U Program Executed SoftwareMicrosoftWindowsCurre ntVersionExplorerUserAssist {GUID}Count encoged ROT-13 Last run time Run count UEME_ RUNPATH RUNCPL RUNPIDL UIQCUT UISCUT UITOOLBAR SOFTWARE OS Version MicrosoftWindows NTCurrentVersion SYSTEM Computer Name CurrentControlSetControlComput erNameComputerName CurrentControlSet ControlSet00x SelectCurrent Network interfaces CurrentControlSetServicesTcpip ParametersInterfaces Time Zone CurrentControlSetControlTimeZo neInformation Formulas UTC = Local Time + ActiveTimeBias Local Time = UTC - ActiveTimeBias Standard Time = Bias + StandardBias Daylight Time = Bias + DaylightBias Time Zone Information CurrentControlSetControlTimeZo neInformation Backup%WinDir%System32ConfigRegBack Properties TimeStampsEvery Key has Last Write TimeTime UTC MRU Most Recent Used MRUList MRUList Key value for Keep track most recent additions Knowing the exact order will aid in determing the order of activity Last write time of the Key will be the time the first MRUlist entry value occurred

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
MD SAQUIB KHAN
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 

Recommended

Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
Brent Muir
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
Prince Boonlia
 
Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts Windows Registry Forensics - Artifacts
Windows Registry Forensics - Artifacts
MD SAQUIB KHAN
 
Windows Registry Analysis
Windows Registry AnalysisWindows Registry Analysis
Windows Registry Analysis
Himanshu0734
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
Santosh Khadsare
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
Chiawei Wang
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
nullowaspmumbai
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
aradhanalaw
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
primeteacher32
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
David Barroso
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 

More Related Content

What's hot

Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
CTIN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
aradhanalaw
 

What's hot (20)

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Windows Registry
Windows RegistryWindows Registry
Windows Registry
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
 

Similar to MindMap - Forensics Windows Registry Cheat Sheet

Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
ClubHack
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
CTIN
 
Operating Systems
Operating SystemsOperating Systems
Operating Systems
Dan Hess
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
fangjiafu
 
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 ServicOS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
Limbs AndThings
 
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 ServicOS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
Limbs AndThings
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
Splunk
 

Similar to MindMap - Forensics Windows Registry Cheat Sheet (20)

Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Windows xp and registery
Windows xp and registeryWindows xp and registery
Windows xp and registery
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guide
 
Live Forensics
Live ForensicsLive Forensics
Live Forensics
 
TOA
TOATOA
TOA
 
Operating Systems
Operating SystemsOperating Systems
Operating Systems
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Distrubuted database connection with oracle
Distrubuted database connection with oracleDistrubuted database connection with oracle
Distrubuted database connection with oracle
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Basic Linux Commands Used In AWS
Basic Linux Commands Used In AWSBasic Linux Commands Used In AWS
Basic Linux Commands Used In AWS
 
Automating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWSAutomating everything with PowerShell, Terraform, and AWS
Automating everything with PowerShell, Terraform, and AWS
 
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 ServicOS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
 
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 ServicOS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
OS Name Microsoft Windows XP Home Edition Version 5.1.2600 Servic
 
WindowsRegistry.ppt
WindowsRegistry.pptWindowsRegistry.ppt
WindowsRegistry.ppt
 
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSIONFORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
FORENSIC ANALYSIS OF WINDOWS REGISTRY AGAINST INTRUSION
 
SplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk EnterpriseSplunkLive! Getting Started with Splunk Enterprise
SplunkLive! Getting Started with Splunk Enterprise
 

Recently uploaded

Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Christo Ananth
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Christo Ananth
 

Recently uploaded (20)

Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSUNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 

MindMap - Forensics Windows Registry Cheat Sheet

  • 1. Windows Registry Hives HKEY_LOCAL_MACHINESAM(KEY) SAM HKEY_LOCAL_MACHINESecurity(KEY) SECURITY HKEY_LOCAL_MACHINESystem(KEY) SYSTEM HKEY_LOCAL_MACHINESoftware(KEY) SOFTWARE HKEY_USER(KEY) NTUSER.DAT Tools RegRipper YaruRecover delete Ubication %WinDir%System32Config SAM SECURITY SYSTEM SOFTWARE DEFAULT NTUSER.dat (XP) Documents and Settings<username>NTUSER.dat (Vista,Win7 y 8) Users<username>NTUSER.dat USRCLASS.dat(Vista,Win7 y 8) Users<username> NTUSER.dat Evidence NTUSER.DAT XP Search History SoftwareMicrosoftSearch AssistantACMru 5001 Search the Internet 5603 All or part of the filename 5604 A word or pase in a file 5647 Computers or people Recent Docs SoftwareMicrosoftWindowsCurre ntVersionExplorerRecentDocs Office Recent Docs SoftwareMicrosoft 10 Word FileMRU Excel PowerPoint 11 12 14 Dialog Boxes LastVisited Last path of file Opened Executable Used SoftwareMicrosoftWindowsCurre ntVersionExplorerComDI32 LastVisitedMRU LastVisitedPid1MRU OpenAndSave Save File Dialog Box Open File Dialog Box SoftwareMicrosoftWindowsCurre ntVersionExplorerComDI32 OpenSaveMRU OpenSavePidMRU Comands Executed SoftwareMicrosoftWindowsCurre ntVersionExplorerRunMRU SoftwareMicrosoftWindowsCurre ntVersionExplorerPoliciesRunMR U Program Executed SoftwareMicrosoftWindowsCurre ntVersionExplorerUserAssist {GUID}Count encoged ROT-13 Last run time Run count UEME_ RUNPATH RUNCPL RUNPIDL UIQCUT UISCUT UITOOLBAR SOFTWARE OS Version MicrosoftWindows NTCurrentVersion SYSTEM Computer Name CurrentControlSetControlComput erNameComputerName CurrentControlSet ControlSet00x SelectCurrent Network interfaces CurrentControlSetServicesTcpip ParametersInterfaces Time Zone CurrentControlSetControlTimeZo neInformation Formulas UTC = Local Time + ActiveTimeBias Local Time = UTC - ActiveTimeBias Standard Time = Bias + StandardBias Daylight Time = Bias + DaylightBias Time Zone Information CurrentControlSetControlTimeZo neInformation Backup%WinDir%System32ConfigRegBack Properties TimeStampsEvery Key has Last Write TimeTime UTC MRU Most Recent Used MRUList MRUList Key value for Keep track most recent additions Knowing the exact order will aid in determing the order of activity Last write time of the Key will be the time the first MRUlist entry value occurred