![]() ![]() Today most administrators and forensic analysts, the registry probably looks like the entrance to a dark. The system was largely managed by several files-specifically, autoexec.bat, config.sys, win.ini (on windows) and system.ini. So, various settings within these files determined what programs were loaded and how the system looked and responded to user input, a central hierarchical database that maintains configuration settings for the application, hardware devices, and users. When the administrator or Forensics expects opens Regedit.exe, he sees a tree-like structure with five root folders, or “hives”. HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system. HKEY_CURRENT_USER − loaded user profile for the currently logged-on-user. HKEY_LOCAL_MACHINE−contains a vast configuration information for the system, including hardware settings and software settings. HKEY_USERS− contains all the actively loaded user profile for that system Recentapps registry forensics software# HKEY_CURRENT_CONFIG−contains the hardware profile the system uses at startup. Suppose your computer lies in the hand of a malicious person without your consent. You can track his activity through inspecting the registry as follows − Then how can you determine, what exactly he would have done to your computer. ![]() It contains with the information provided from the RunMRU key, an examiner can gain better understanding fo the user they are investigating and the application that is being used. ![]() This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system.Īttached Hardware List − ( HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices.) (HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR.) In this above figure, you can see the user has opened cmd, Notepad, MSPaint etc. Recentapps registry forensics software#. ![]()
0 Comments
Leave a Reply. |