I've been thinking about expanding the content of chapter 4 of my book, "Windows Forensic Analysis", to a separate book (smaller in size, of course) just on Registry analysis.
Some tentative topics/contents
1. What is the Registry?
- Basic outline, construction, format, etc.
2. Registry Analysis Basics
- How to do a "cold" investigation of the Registry, looking at
different tools
- How to perform testing on a live system - actual walk-thru, with
the actual tools used; several examples, to include P2P, etc.
3. What we have access to now (more of an idea than a title)
- A good look at stuff we have available now; will/should include
Vista and Win2k8
4. Effects of Anti-forensics
- Look at what effects anti-forensics may have on the Registry
and Registry analysis
Thoughts? Did I miss anything? Should anything be added?
Are there any concerns of law enforcement or consultants (or anyone else) that aren't addressed here?
Thanks,
H
H,
I think that is a really good idea - I'd have a copy. -)
Would you go as far as a discussion of the actual hex format on disk ? And would we have all of the usual Perl goodies to run against it ?
Thanks.
Harlan, that sounds like a GREAT idea!
Here's a thought
I routinely use your compiled PERL utility to extract the UserAssist data. It would be SO NICE to be able to strip out the "Computerese" and populate the "jury-readable" data into a graphical time-line.
Something like
Logged-in User Doofus
Activity 16-January-2008
|———————-|——————|—————–|—————-|
655pm………………813pm………….1013pm……….1109pm
IEXPLORE.EXE……..SOFFICE.EXE…..WINAMP.EXE…..PHOTOSHOP.EXE
And then if you could also add to the chart which URLs were visited and when…. wink
-Austin
> Would you go as far as a discussion of the actual hex format on disk ?
Definitely. I also plan to include some of the things I've done/found regarding searching for keys in memory, etc. I think that's where an explanation of the hex format on disk (similar to figure 4.3 on pg 132 of WFA) could be expanded and more useful.
> And would we have all of the usual Perl goodies to run against it ?
No. Well, some, yes. However, I've been developing an entirely new and unusual set of tools. One in particular is a data extraction and presentation tool based on plugins, similar to Nessus. Works fantastic so far!
Here's a thought
I routinely use your compiled PERL utility to extract the UserAssist data. It would be SO NICE to be able to strip out the "Computerese" and populate the "jury-readable" data into a graphical time-line.
This is actually something I've already started working on…not graphical, but more along the lines of an Excel spreadsheet.
And then if you could also add to the chart which URLs were visited and when…. wink
I hope by "you", you mean the global "you", as in the examiner actually using the tool.
H
One in particular is a data extraction and presentation tool based on plugins, similar to Nessus. Works fantastic so far!
That sounds like it might be worth it in it's own right ! 😉
> That sounds like it might be worth it in it's own right !
Not sure what you mean by that, but so far I've found it to be incredibly useful, and others who have tried it in order to get specific data have found the tool equally useful.
Sorry - I meant that if that is included in the book, regardless of the remaining content, I think that it would be worth the cover price - sounds like a good tool !
It was a compliment 😉
Here's a thought
I routinely use your compiled PERL utility to extract the UserAssist data. It would be SO NICE to be able to strip out the "Computerese" and populate the "jury-readable" data into a graphical time-line.This is actually something I've already started working on…not graphical, but more along the lines of an Excel spreadsheet.
And then if you could also add to the chart which URLs were visited and when…. wink
I hope by "you", you mean the global "you", as in the examiner actually using the tool.
H
Excel would work. It has some rudimentary charting capabilities. And "one" could always export the data into other, more robust charting programs.
And, um, yeah I meant the global "you."
-A
I think your idea is pretty cool, but I'm not a professional software dev shop…I'm just one guy who's writing stuff to make my job easier. I just happen to share that, as well.
As far as "…strip out the "Computerese" and populate the "jury-readable"…" goes, that's your/our job.
Any thoughts on the outline I posted? Anything specific to Registry analysis?