Hi I just wondering if someone used a program or password crack on a computer, would there be any registry left on the system? or anywhere I will be able to find some evidence? I am looking all over the system but I can't seem to find any…..
Thanks!!!!
Hi I just wondering if someone used a program or password crack on a computer, would there be any registry left on the system?
What would be the point of running a program or password crack that removed the Registry? Do that, and Windows won't work…
No….I don't want to delete it, but I want to find out where to look for them…..
No….I don't want to delete it, but I want to find out where to look for them…..
If you're asking about where to look for programs (in general, and password crackers, specifically) being run within the Registry, I'd start with the user's UserAssist and MUICache keys (as covered in "Windows Registry Forensics").
Of course, it depends a great deal on what programs are run, and how they're run…
You might also check the Prefetch files, etc.
Can I use Encase to view the prefetch files?
I'm sure you can…although you don't need EnCase. And if you do find a suspicious Prefetch file, does EnCase have the ability (or an EnScript) for extracting metadata from the file?