Windows registry forensics advanced digital forensic analysis of the Windows registry
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry, Second Edition , provides the most in-depth guide to forensic investigations involving Windows Registry. This book is one-of-a-kind, giving the background of the Registry to help users develop an understanding of...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Cambridge, MA. :
Syngress
[2016]
|
| Edición: | Second edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009630765706719 |
Tabla de Contenidos:
- Front Cover
- WINDOWS REGISTRYFORENSICS
- WINDOWS REGISTRY FORENSICS: Advanced Digital Forensic Analysis of the Windows Registry
- Copyright
- Dedication
- CONTENTS
- ABOUT THE AUTHOR
- ABOUT THE TECHNICAL EDITOR
- PREFACE
- Intended Audience
- Book Organization
- Chapter 1: Registry Analysis
- Chapter 2: Processes and Tools
- Chapter 3: Analyzing the System Hives
- Chapter 4: Case Studies: User Hives
- Chapter 5: RegRipper
- ACKNOWLEDGMENTS
- 1 - REGISTRY ANALYSIS
- Introduction
- Core Analysis Concepts
- Locard's Exchange Principle
- Least Frequency of Occurrence
- Windows Isn't Just "Windows"
- Remnants
- Goals
- Documentation
- Challenges of Registry Analysis
- What Is the Windows Registry?
- Purpose of the Windows Registry
- Location of the Windows Registry on Disk
- Where Else Can We Find Registry Data?
- Nomenclature
- Registry Structure
- Registry Key Cells
- Registry Value Cells
- Summary
- 2 - PROCESSES AND TOOLS
- Introduction
- Forensic Analysis
- Viewing Registry Hives
- RegEdit
- Windows Registry Recovery
- Registry Explorer
- Pros and Cons
- Parsers
- Pros and Cons
- RegRipper
- Timeline Analysis
- Differencing
- Deleted Keys and Values
- Memory
- Summary
- 3 - ANALYZING THE SYSTEM HIVES
- Introduction
- Artifact Categories
- Security Hive
- SAM Hive
- Cracking User Passwords
- System Hive
- Finding the "Current" ControlSet
- System Configuration Information
- System Name
- ClearPagefileAtShutdown
- Network Interfaces
- Routes
- File System Settings
- Prefetch Settings
- AutoStart
- Windows Services
- Program Execution
- AppCompatCache
- Malware
- USB Devices
- Mapping Devices to Drive Letters
- Software Hive
- System Configuration Information
- Windows Version
- ProfileList
- Network Cards
- Wireless Connections
- AutoStart
- The Run Key.
- The Notify Key
- Image File Execution Options
- AppInit_DLLs
- Shell Extensions
- Browser Helper Objects
- Scheduled Tasks
- AppCompatFlags
- Program Execution
- LANDesk
- Malware
- Audio Devices
- AmCache Hive
- Summary
- 4 - CASE STUDIES: USER HIVES
- Introduction
- NTUSER.DAT
- System Configuration Information
- AutoStart
- The Run Key
- The RunOnce Key
- Other AutoStart Locations
- Program Execution
- Applets
- SysInternals
- UserAssist
- Application Compatibility Assistant
- Terminal Server Client
- Malware
- File Access
- RecentDocs
- ComDlg32
- Microsoft Office File/Place MRUs
- TrustRecords
- Adobe Reader
- User Activity
- TypedPaths
- TypedURLS
- Searches
- File Associations
- USRCLASS.DAT
- AutoStart
- Program Execution
- File Access
- Photos
- Shellbags
- Summary
- 5 - REGRIPPER
- Introduction
- What Is RegRipper?
- Plugins
- Profiles
- Getting the Most Out of RegRipper
- Finding Out About Plugins
- Creating New Plugins
- Create Your Own Profiles
- Extending RegRipper
- What to Do When Something Goes Wrong
- Summary
- INDEX
- A
- B
- C
- D
- E
- F
- G
- H
- I
- K
- L
- M
- N
- O
- P
- R
- S
- T
- U
- V
- W
- X
- Z
- Back Cover.
