Artifacts

Registry: ACMru – Search Assistant

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Matt

Artifact Name
ACMru – Search Assistant

Description
This registry key stores search terms that have been typed into the Windows Search dialog box (Windows Start Button –> Search). There may be up to four subkeys:

- 5001: Contains list of terms used for the Internet Search Assistant

- 5603: Contains the list of terms used for the Windows XP files and folders search

- 5604: Contains list of terms used in the “word or phrase in a file” search

- 5647: Contains list of terms used in the “for computers or people” search

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru

Research Links
http://books.google.com/books?id=5hvSrBGVfIgC&pg=PA235&lpg=PA235&dq=acmru+search+assistant&source=bl&ots=HqAt5n3Tue&sig=Bj7WMCRVmVOyndo9UVyXTs7tmVE&hl=en&ei=Y1ltTMWdOozSngeGtfHsBw&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDcQ6AEwBw#v=onepage&q=acmru%20search%20assistant&f=false

http://www.windowsitpro.com/article/configuration/how-can-i-clear-windows-xp-s-search-companion-cache-of-previous-searches-.aspx

Forensic Programs of Use
RegRipper

Other Info
A good explanation can be read in Windows Forensic Analysis 2e by Harlan Carvey. I highly recommend this book.

One Comment

arrow

[…] This post was mentioned on Twitter by sansforensics, Forensic Artifacts. Forensic Artifacts said: Registry: ACMru – Search Assistant http://bit.ly/cMQD6C […]

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment