Today we discussed the Windows registry: It's organization, the persistent components on disk and the volatile components in memory, it's structure, and its forensic valueI strongly recommend the following resources:
A Few Forensic Applications
Below are a few example items I have commonly found useful within the Registry. There are certainly plenty more:
- Computer name
- Timezone
- MAC address(es)
- Wireless SSIDs
- Mounted shares
- Audit policies
- Auto start applications (per user)
- Services (system)
- Mounted USB devices
- Timestamps (entries, sorted by time, can function as a sort of log)