top of page
Search

Windows Registry Forensic Analysis

Time Zone Information:SYSTEM\CurrentControlSet\Control \TimeZoneInformation

Network Interfaces and Past Networks:SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Interfaces

Autostart Programs:NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\RunNTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\RunOnceSOFTWARE\Microsoft\Windows\CurrentVersion \RunOnceSOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\RunSOFTWARE\Microsoft\Windows\CurrentVersion\Run

SAM hive::SAM\Domains\Account\Users

USB Device history:USB device Volume Name:SOFTWARE\Microsoft\Windows Portable Devices \Devices

Device identification (History)SYSTEM\CurrentControlSet\Enum\USBSTORSYSTEM\CurrentControlSet\Enum\USB

First/Last Times:SYSTEM\CurrentControlSet\Enum\USBSTOR \Ven_Prod_Version\USBSerial#\Properties {83da6326- 97a6–4088–9453-a19231573b29}####0064=first connection0066=last connection0067=last removal

Bluetooth:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices

File / Folder Usage:Recent Files:NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Office Recent Files:NTUSER.DAT\Software\Microsoft\Office\VERSION NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU

ShellBags:USRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\BagsUSRCLASS.DAT\Local Settings\Software\Microsoft \Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRUNTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

Open/Save and LastVisited Dialog MRUs:NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

Windows Explorer Address/Search Bars:NTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\TypedPathsNTUSER.DAT\Software\Microsoft\Windows \CurrentVersion\Explorer\WordWheelQuery

Execution:UserAssist:NTUSER.DAT\Software\Microsoft\Windows \Currentversion\Explorer\UserAssist{GUID}\Count

ShimCache:SYSTEM\CurrentControlSet\Control\Session Manager \AppCompatCache

Background Activity Moderator (BAM)Desktop Activity Monitor (DAM) (WIN8)SYSTEM\CurrentControlSet\Services\bam\UserSettings{SID}SYSTEM\CurrentControlSet\Services\dam\UserSettings {SID}

 
 

Recent Posts

See All
Untitled Goose Tool

Much useful Incident Response (IR) tool released by CISA to run a full investigation against a customer’s Azure Active Directory...

 
 
bottom of page