I got tired of always searching online for the location of something in the windows registry, especially when it came to forensic analysis. Hopefully this compilation will help others to find things of interest inside the windows registry. My plan is to update this article as I find more interesting locations within the windows registry.
=====================================================================
Last logged on user
DefaultUserName
Searches within the windows OS
5001: Contains list of terms used for the internet search assistant
5603: Contains the list of terms used for the Windows XP files and folders search
5604: Contains list of terms used in the “word or phrase in a file” search
5647: Contains list of terms used in the “for computers or people” search
Applications launched from the “Start > Run” menu
Recent documents
Installed applications that reside in “Control Panel > Add/Remove programs”
Mounted devices
USB devices that have been attached
Applications that are ran during startup
HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
List of windows services
Recent network settings, where GUID refers to the network interface
Wireless network information
Mapped network drives
Typed URL’s into the browser
Last time the computer was shut down (64bit value representing time)
Determine if last access times is enabled (0) or disabled (1)
NtfsDisableLastAccessUpdate
Computer name
Determine if autoplay is disabled / enabled, link with more info below
http://support.microsoft.com/kb/967715
List of files open or saved via windows explorer
List of drives mapped via the map network drive wizard
Devices or IP’s connected to
Mounted drives
List of files played in Windows Media Player
HKU\UID\Software\Microsoft\MediaPlayer\Player\RecentURLList
List of recently accessed WinZip files
List of Microsoft Office files that have been accessed
Browser helper objects (BHO’s), can be associated with malware but it’s been a while since I’ve seen this.
Entries in this location are automatically started when explorer.exe is ran
Can point to logon scripts
DLL’s in this location are loaded when a GUI app is launched
Programs to be run when user logs in
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit |
4 replies on “Location of forensic evidence in the registry”
Thanks for this mate, really helped with my report 🙂
Thx, really helpful!
Very nice list, thank you
Hi! I’m searching for the artifacts/ registry records created/ being updated when burning a DVD disc with a third party application. Could you help? Do you know any of these artifacts/ records? I’m running Windows Vista. Thanks in advance!
P.S. Artifacts/ records affected by inserting a blank disc into a drive or opening/ closing the drive lid would also be very useful.