Hello everyone,
I've noticed that a lot of people post questions about registry keys and one of the best references of course is Harlan's book, but then you have those people who say, "I don't have time to thumb through a thick book or scroll through a large PDF" and need a quick answer… So I'm trying to write a small "quick reference" on common and useful registry keys. I have a couple so far, and this document isn't close to done.. I know I have a lot of editing and such, but I'm looking for suggestions on what else I should add to this quick reference or if there is something you think I should get rid of..
http//www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf
Any comments or suggestions will be extremely helpful. My primary goal is to make this actually useful to examiners in the field. Therefore, I need your help! What are some keys that you find yourself referencing on a day to day basis?
Thanks in advance,
Derrick
Derrick,
Looks great so far !
How about including those for determining current time zone information ?
Both common and useful -)
Az
Looks great so far Derrick!
I think a line or two to protect yourself would be useful - to say that it is not an exhaustive list, it should be used with other established forensic methods and if you tinker with your own registry then you do so at your own risk.
How about including those for determining current time zone information ?
What do you mean by this? Could you elaborate on it a little more?
I think a line or two to protect yourself would be useful - to say that it is not an exhaustive list, it should be used with other established forensic methods and if you tinker with your own registry then you do so at your own risk.
Yes, that would probably be a good thing to add..
I'm also going to add the system files which to call when examining the registry and which registry hives pertain to those files. Obviously, you don't have to know that when using regedit because all of the hives will be there, but in FTK registry viewer you have to call each of the registry system files and this might be something that someone would need to reference.
Anyone else have any other suggestions? Anything you folks find yourself referencing when examining the registry?
All input is helpful. Thanks!
Derrick
I assume Azrael means keys such as
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Kind Regards
I assume Azrael means keys such as
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Indeed, also http//
-)
I appolagize if this is a stupid question.. But when and why would you need to reference the time zone in a case? Would it be just to prove the location?
Derrick
I appolagize if this is a stupid question.. But when and why would you need to reference the time zone in a case?
When Every time you analyze a case. Why The time line of your evidence depends on it. That is why you always check the time and date in the system clock.
Would it be just to prove the location?
No. The time basis of your files will help determine when events happened.
"Well your Honor, it's like this, those events really did not happen two days after we seized the computer, we just forgot to check the clock to see that it was not accurate and the whole analysis of the computer is actually off several days so if you just look at the evidence we are presenting and add two days and maybe a couple of hours or so and everything will be just like it should be."
I appolagize if this is a stupid question.. But when and why would you need to reference the time zone in a case?
When Every time you analyze a case. Why The time line of your evidence depends on it. That is why you always check the time and date in the system clock.
Would it be just to prove the location?
No. The time basis of your files will help determine when events happened.
"Well your Honor, it's like this, those events really did not happen two days after we seized the computer, we just forgot to check the clock to see that it was not accurate and the whole analysis of the computer is actually off several days so if you just look at the evidence we are presenting and add two days and maybe a couple of hours or so and everything will be just like it should be."
Ah, that makes perfect sense D
Thanks Bit!
Any other suggestions folks?
Derrick
Derrick,
I think that this is a great idea…however, after reading through the reference you've created, I wonder if there might be a better way, by combining both the larger version that I've written and the portable one you wrote.
However, there are a good number of keys that can be important to different types of investigations. Also, there's information about each set of keys and values that is pertinent, and doesn't necessarily fit into an easy reference. For example, while USB thumb drives appear in the System file, I've found a way to tie the use of such things to a specific user…but this isn't something that fits nicely and neatly into a small reference guide.
Good work, though. It's nice to see others out there coming up with things like this…
H