The main focus of this post, and particularly the associated table of artifacts, is to serve as a reference and reminder of what evidence sources may be available on a particular system during analysis. A myriad of other posts assisted in confirming details of specific artifacts and I have referenced those below. This isn't my first time reading any of those posts and I'm sure it wont be my last. I should highlight up front that some really fantastic blog posts from Harlan Carvey, Andrea Fortuna, Corey Harrell and Mary Singh gave me a significant leg up. With that as my motivation, I set about to document different artifacts which can be used to evidence program execution (both user attributable and otherwise) as available in various different versions of Windows. As such, I found myself wracking my brain for all the user attributable artifacts which evidence program execution (on an OS I hadn't analysed for a short while).įurthermore, David Cowen in his recent Sunday Funday Challenge over at HECFBlog had posed a similar question regarding evidence of execution. From the said key, we can obtain such information.This week I have been working a case where I was required to identify users on a Windows Server 2003 system who had knowledge of, or had run, a particular unauthorised executable. It utilizes the Registry extensively in the storage of data, like many applications. Internet Explorer is the native Web browser in Windows operating system. (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs.) (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Currentversion\Search\RecentApps)īy navigating to the said key will give information for last accessed applications list by the user. This information will be quite informatic for Forensics Examiner as it could see the hacker used VPN such as CyberGhost which is used for being anonymous.
Recentapps windows 7 software#
Malicious Software Running − (HKEY_CURRENT_USER\Software\ ) If the examiner notes a discrepancy between the physically attached devices and the ones reported here, it can be an indication that some device was removed prior to the evidence being seized. This information can be useful to a forensic examiner as it shows any connected storage device has been recognized by the operating system. This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system.Īttached Hardware List − ( HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices.)
(HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR.) In this above figure, you can see the user has opened cmd, Notepad, MSPaint etc. It contains with the information provided from the RunMRU key, an examiner can gain better understanding fo the user they are investigating and the application that is being used.
(HKEY_CURRENT_USER\software\microsoft\windows\currentversion\Explorer\RunMRU) You can track his activity through inspecting the registry as follows − Then how can you determine, what exactly he would have done to your computer. Suppose your computer lies in the hand of a malicious person without your consent. HKEY_CURRENT_CONFIG−contains the hardware profile the system uses at startup. HKEY_USERS− contains all the actively loaded user profile for that system HKEY_LOCAL_MACHINE−contains a vast configuration information for the system, including hardware settings and software settings. HKEY_CURRENT_USER − loaded user profile for the currently logged-on-user. HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system. When the administrator or Forensics expects opens Regedit.exe, he sees a tree-like structure with five root folders, or “hives”. So, various settings within these files determined what programs were loaded and how the system looked and responded to user input, a central hierarchical database that maintains configuration settings for the application, hardware devices, and users. The system was largely managed by several files-specifically, autoexec.bat, config.sys, win.ini (on windows) and system.ini. Today most administrators and forensic analysts, the registry probably looks like the entrance to a dark. Hence, this article serves the purpose is to provide you with a depth understanding of the Registry and Wealth of information it holds. The Windows Registry also holds information regarding recently accessed files and considerable information about user activities, besides configuration information.
0 kommentar(er)
