Windows Forensics
- Tags
- security
OS Forensics targeting the windows operating system. The most [see page 2, widely] used OS as of now.
Registry
Each user profile will have its own registry hive (example: NTUSER.DAT).
Windows registry is separated into different [see page 7, hives] such as:
| Hive | Description |
|---|---|
| HKEY_LOCAL_MACHINE\SYSTEM:\system32\config\system | Info about system, hardware config, etc. |
| HKEY_LOCAL_MACHINE\SYSTEM:\system32\config\security | Path and password information |
| HKEY_LOCAL_MACHINE\SYSTEM:\system32\config\sam | Security accounts monitor, logon info about user |
| HKEY_LOCAL_MACHINE\SYSTEM:\system32\config\software | Applications installed and default settings |
| HKEY_USERS\UserProfile:\winnt\profiles\username | User accounts |
| HKEY_USERS.DEFAULT:\system32\config\default |
We can also find private info in the [see page 11, file-system] and registry:
| Path | Description |
|---|---|
| C:\Documents and Settings\Administrator\Cookies | Cookies |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files | Temporary Internet Files |
| ~\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat | Internet History |