Hi guys,
Working on a project for college, to trace activity on a computer. Have so far located some useful files in temporary internet folder, and index.dat. Is there any other files i should be looking at in regard to activity tracing. Have been told that there are certain files located in the registry with a wealth of information, but not sure where to look.
Any help would be great to point me in the right direction.
Many thanks,
Marticus
Oh my….
Well yes. I might suggest that you take a time to view a few of the topics and threads here on the forum as well as many of the PDF response guides that are present. I would also look at several of the published books that are recommended on this site as well as a starting point.
It is a rather broad topic that many in the filed have spent years honing skills about this because it really is the crux of finding evidence as you want to link it back to a person who will be held accountable.
Here are only a few minor areas, in no order, on more recent Windows boxes
File System Analysis - File Table records
- Files accessed – create, modified, accessed deleted
System setting analysis
-Registry keys
-Event logs
Internet history analysis
- Web sites accessed
- Chat sessions – AIM, Yahoo!, FaceBook, GoogleTalk, etc.
Email
- Recover PST, OST Outlook files
- Recover webmail fragments
I could go on in forever…
Might I suggest though as it seems this is your first post, and I do not know if you have been browsing the forum for some time, to read though a lot of what is here and conduct some research to what has been posted about your topic in the past. It is a rather generalized question and if you are learning investigative skills it would behoove you do some extensive research prior to reaching out for outside help.
For starters you might want to read the book "Windows forensic analysis".
Have been told that there are certain files located in the registry with a wealth of information, but not sure where to look.
There are no files in the Registry. It is an hierarchy that is stored in multiple files. It contains various data like configuration, preferences. To give you a little hint regarding interesting Registry resources for user activity MRU, Shell Bags.
As douglasbrush pointed out the list can be quite indefinite.
But one of my recent favourites for Windows Vista/7 is the windows search database (also see articles/papers section on this forum)
Access Data also has a nice registry 'index' that explains where to look for certain activities. I'm not sure if it's a free download or not. I got mine back when I was in school for it and the teacher gave us all a copy.
Mitec have a good registry tool
http//
Its free (last time I checked)
Depending if you have tools or not, you could try looking at the meta data of any files on there. E.g. authors of Word docs, dates, etc.
Most of what has been said by douglasbrush should give you a good idea of what the user has been doing. Also check simple things like what apps are installed, might give you an insight into what the computer is used for (but take those findings with a pinch of salt!) (I have photoshop apps on my PC, but doesn't mean I use em, lol ) )
One last little place for the reqistry is the USBStor, this will tell you if and or what devices have been plugged into the machine.
But for the most part read these forums and (I hate to say it, but..) Google is your friend )
Goodluck!
Hit those books!
Access Data also has a nice registry 'index' that explains where to look for certain activities. I'm not sure if it's a free download or not. I got mine back when I was in school for it and the teacher gave us all a copy.
This is the link http//
^That's the one^
Thank you guy,s,
you,ve been most helpful, and i appreciate you taking the time to respond. Will take your advice and hit the books and make google my new friend.
Many Thanks,
Marticus
o Your suggestions also solve my problems. THANKS