Artifacts

Posts Tagged ‘registry’


NTUSER Trust Records

Posted by:  /  Tags: , , ,  /  Comments: 1

Andrew Case

Office

The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.

The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.

Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords

The path part after “Office” will differ per-version of Office, but the rest of the path is the same.

NTUSER hive

RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information

SSH Server Connections

Posted by:  /  Tags: , , ,

Author Name
Matonis

Artifact Name
Determine SSH Servers Users Connected To

Artifact/Program Version
PuTTY

Categories
User Activity, Active Machines

Description
SSH is a popular and practical management protocol for system administrators and nefarious users alike. In windows systems, the multifaceted terminal client, PuTTY, does not log by default but conditionally stores ssh host keys within the registry. This information can be beneficial to an analyst during a relevant incident/investigation to ascertain historical attributes about user activity and server authenticity.

Contained within the user’s NTUSER.DAT hive, the subkeys (outlined below) have the following syntax which are indicative of a successful SSH connection but not a successful SSH login:

rsa2@[port]:[hostname/IP]

The Last Write Time value of the NTUSER.DAT/Software/SimonTatham/SshHostKeys corresponds to the time the last ssh server was first connected to, as opposed to the last time the user had ssh’d to the server. If a user has connected to a server multiple times, these keys are not updated, in this event network logs are a more suitable quantitative source.

If a user chooses to save their PuTTY profile (connection preferences, servers, logs, etc), it will be stored under the NTUSER.DAT/Software/SimonTatham/Sessions.

Registry Keys
To determine servers connected to via SSH:
NTUSER.DAT/Software/SimonTatham/SshHostKeys -> Subkeys correspond to successful SSH connections but not SSH logins.

To determine PuTTY configurations based on saved profiles:
NTUSER.DAT/Software/SimonTatham/Sessions -> Subkeys will correspond to profiles user created.

 

Related Posts:

Dropbox Config Files (Windows)

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Dropbox Config Files (Windows)

Artifact/Program Version
Dropbox 1.1.35 (Windows)

Description
Dropbox is a file-synchronization, backup, and (even) sharing service.
It has applications that run on Windows ®, Mac, Linux, iPhone,
Android and Blackberry. Once downloaded and installed, their
application will run when the OS starts. It adds a systray item that
allows you to access the settings (‘Preferences’), and your files.
The application creates a ‘My Dropbox’ folder inside the user’s
‘My Documents’ folder, for local cached/offline copies of the
files (this default location can be changed). These will then synch
with the web storage and across all other computers connected to the
account that are online. Multiple computers can be connected to one
account; if these are on the same network, a feature called ‘LAN
synch’ allows them to communicate with one another directly when
synching files, in order to reduce bandwidth consumption (as a note,
the synch only transfers the data that is changed, not the entire
file).

Registry Keys
With a clean installation, there were 173 registry keys created and 58
values set (captured via Sysinternals ProcMon). During
uninstallation, there were 153 changes to the registry (logged with
regshot), including 49 deletions:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2\:
“{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3\:
“{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4\:
“{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Dropbox\InstallPath:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\UninstallString:
“”C:\Documents and Settings\username\Application
Data\Dropbox\bin\Uninstall.exe”"
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\InstallLocation:
“C:\Documents and Settings\username\Application Data\Dropbox\bin”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayName:
“Dropbox”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayIcon:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\Dropbox.exe,0″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\DisplayVersion:
“1.1.35″
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\URLInfoAbout:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\HelpLink:
“http://www.dropbox.com”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoModify:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\NoRepair:
0×00000001
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dropbox\Publisher:
“Dropbox, Inc.”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx\Software\Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\*\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDA-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDB-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\:
“C:\Documents and Settings\username\Application
Data\Dropbox\bin\DropboxExt.14.dll”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\InProcServer32\ThreadingModel:
“Apartment”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\CLSID\{FB314EDC-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}\:
“DropboxExt”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\Background\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”
HKU\S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxx_Classes\Directory\shellex\ContextMenuHandlers\DropboxExt\:
“{FB314ED9-xxxx-xxxx-xxxx-xxxxxxxxxxxxx}”

File Locations
The majority of Dropbox’s configuration and user info are stored in
SQLite database files in %appdata% under the Dropbox directory.
config.db
filecache.db
sigstore.db
host.db
unlink.db
Two are not actually SQLite files: host.db (plain text) and unlink.db
(not sure?).

Config.db contains some info about the local Dropbox installation and
account. It shows what it calls the “host_id” which appears to be
an md5 hash value. It also lists the email address associated with
the account (could be useful during an investigation). Also shown is
the current version/build for the local application.

Filecache.db has several tables, but the one I think is of the most
interest is ‘file_journal;’ it contains a listing of all directories
and files inside ‘My Dropbox.’ It appears these are only the live
files, not deleted ones.

Sigstore.db records SHA-256 hash and size information about each file,
but no names etc.

These can be viewed with a SQLite viewer, or parsed with other
programs (see research links).

Inside the user’s Dropbox folder is a hidden directory,
.dropbox.cache. This contains a record of files created/modified (and
saved) on another linked system. There are copies of the files
themselves, for each revision/save, and an entries.log file that
appears to contain encoded information about each of those files.

Research Links





(some more research to be posted
soon)

Forensic Programs of Use
(not forensic, but good for
viewing the SQLite db files)
(haven’t tried it yet, may be able to parse deleted records from the
SQLite db files)

Other Info
The Dropbox Reader python scripts are handy to parse through the
SQLite db files quickly and get output that way, rather than trying to
load up individually in a viewer. They’re designed specifically to
work with Dropbox’s implementation, and present the information in a
more meaningful way.

I had some issues getting them to work properly and they were very
responsive and helpful. Apparently one of my files is a bit of an
oddball (missing some information) so it won’t parse correctly;
they’re working on a fix for that.

UserInfo (Windows)

Posted by:  /  Tags: , ,  /  Comments: 2

Author Name
Corey Harrell

Artifact Name
UserInfo

Artifact/Program Version
Windows Registry

Description
Microsoft Office documents contain metadata that show when a file was
created, modified, and user names. The user names in Microsoft Office
documents’ metadata is pulled from the UserInfo registry key of the
user account’s registry hive performing the actions. The values
responsible in the UserInfo registry are the UserName and Company
values.

The population of the data in the UserName and Company registry values
varies. The values are populated in the user account that installed
Microsoft Office with the user name and company entered during
installation. For the user accounts that are using Microsoft Office
but didn’t install it, the values are populated a little different.
The first time the user launches an Office application a dialog box
appears asking for the user name and initials. The information entered
in the dialog box is what results in the UserName value in the user’s
UserInfo registry key. The location of the UserInfo registry key
varies depending on the version of Microsoft Office installed on the
system.

Registry Keys
Microsoft Office 2007: HCU\Software\Microsoft\Office\Common\UserInfo
Microsoft Office 2003:
HCU\Software\Microsoft\Office\11.0\Common\UserInfo

Research Links
http://support.microsoft.com/kb/821550
http://journeyintoir.blogspot.com/2011/06/why-is-it-what-it-is.html

Forensic Programs of Use
Registry viewer such as the free MiTeC Windows Registry Recovery

NetworkList (Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
H. Carvey

Artifact Name
NetworkList

Artifact/Program Version
RegRipper w/ networklist.pl plugin v.20090812

Description
Vista and Windows 7 maintain a Registry key named
“NetworkList”:
HKLM\Microsoft\Windows NT\CurrentVersion\NetworkList

This key appears to contain profiles regarding managed and
unmanaged networks, including wireless networks that the system has
connected to, including SSID, the date the profile was created, the
date last connected, the MAC address of the WAP, etc. This MAC can be
looked up in the SkyHook database, and possibly converted to a Google
Map.

Registry Keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList (Updated 6/3- Thanks to Troy)

File Locations
Software Hive

Forensic Programs of Use
RegRipper w/ networklist.pl plugin

Registry: MUICache

Posted by:  /  Tags: , ,

Author Name
Matt

Artifact Name
MUICache

Artifact/Program Version
Windows

Description
According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.

Please see the additional description from “Windows Forensic Analysis” in the first Research Link.

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Research Links
- Google Book Preview – Windows Forensic Analysis
- http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html

Forensic Programs of Use
- http://www.nirsoft.net/utils/muicache_view.html
- http://regripper.net

Related Posts

MiTeC’s Windows Registry Analyzer and Windows Vista 64bit Edition

Posted by:  /  Tags: , ,

Ken Pryor gave us the heads up that MiTeC’s Windows Registry Analyzer 1.5.2 only works in Vista 64bit edition when using it in XP Compatibility Mode.

Thanks Ken!!!

Joe

Computer Name

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Computer Name

Artifact/Program Version
Windows

Description
Knowing the name of a computer that you are examining can be important for many reasons.  In a situation where you may need to examine a computer that was removed from a network, it will help you verify that it is indeed the computer in question.  Having the Computer Name is also used to correlate information found in Event Logs.

Also, for Law Enforcement you may have a situation where there is a high rate of laptop thefts in a particular area.  Let us say a suspect is apprehended for a crime while in possession of a laptop in that area.  He/she may claim that the laptop is theirs.  Well, if they offer consent or you are granted a search warrant to examine the laptop, this could help build your case against the suspect.  Is this the be all, end all to determine guilt?  No, but you can use this information to possibly help challenge their alibi and poke holes in their story if the Computer Name is completely off.

First things first though.  Using your favorite Registry Viewer determine the CurrentControlSet for the Windows machine you are examining.  You can follow the instructions for doing that HERE.  Once you have done that, proceed to SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.  You will see the following:

AccessData’s Registry Viewer:




MiTeC Registry Analyzer:




RegRipper:



To find this information in a Non-Forensic fashion, go to Control Panel > System > Computer Name Tab

**AUTHOR’S ADDENDUM**
Thanks to some help from Harlan Carvey (see Comments below), I have added the other Registry Keys of note to obtain a Computer Name from a Windows system.

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (Look for the value of Hostname):



SOFTWARE\Microsoft\SchedulingAgent (Look at the value of OldName):



Registry Keys
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (value: Hostname)
SOFTWARE\Microsoft\SchedulingAgent (value: OldName)

Forensic Programs of Use
AccessData Registry Viewer- http://www.accessdata.com/downloads.html

RegRipper- http://regripper.net/

MiTeC Windows Registry Analyzer- http://www.mitec.cz/Data/XML/data_downloads.xml

Research Links

http://support.microsoft.com/kb/308427

http://support.microsoft.com/kb/295017

Registry: ACMru – Search Assistant

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
Matt

Artifact Name
ACMru – Search Assistant

Description
This registry key stores search terms that have been typed into the Windows Search dialog box (Windows Start Button –> Search). There may be up to four subkeys:

- 5001: Contains list of terms used for the Internet Search Assistant

- 5603: Contains the list of terms used for the Windows XP files and folders search

- 5604: Contains list of terms used in the “word or phrase in a file” search

- 5647: Contains list of terms used in the “for computers or people” search

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru

Research Links
http://books.google.com/books?id=5hvSrBGVfIgC&pg=PA235&lpg=PA235&dq=acmru+search+assistant&source=bl&ots=HqAt5n3Tue&sig=Bj7WMCRVmVOyndo9UVyXTs7tmVE&hl=en&ei=Y1ltTMWdOozSngeGtfHsBw&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDcQ6AEwBw#v=onepage&q=acmru%20search%20assistant&f=false

http://www.windowsitpro.com/article/configuration/how-can-i-clear-windows-xp-s-search-companion-cache-of-previous-searches-.aspx

Forensic Programs of Use
RegRipper

Other Info
A good explanation can be read in Windows Forensic Analysis 2e by Harlan Carvey. I highly recommend this book.

Registry: Common MRUs

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name
ForensicsWiki

Artifact Name
Common Windows Most Recently Used Locations

Artifact/Program Version

Windows (various versions)

Categories

Registry

Description

Registry Keys

EDITOR’S NOTE (Joe)

The author sent in a submission which included numerous Registry Keys for examiners to look for regarding Windows MRU Locations.  It was essentially a copy & paste from the ForensicsWiki page.  I have left the link to that page below so that if you would like to check out that list you can for further educational purposes.  I felt that it did not fit the format that we are going for here on this site.  Thank you to the author for their submission!

Research Links

http://www.forensicswiki.org/wiki/List_of_Windows_MRU_Locations#Common

Forensic Programs of Use
RegRipper