These lists are maintained in case the user returns to them in the future. There are numerous MRU list locations throughout various Registry keys.
The SID appears as: Sġ6 Forensic Analysis User ID SID (security identifier) Well-known SIDs SID: S-1-0 Name: Null Authority SID: S Name: Network S S 1 string is SID revision number 5 authority level (from 0 to 5) domain or local computer identifier 1006 RID Relative identifier Local SAM resolves SID for locally authenticated users (not domain users) Use recycle bin to check for ownersġ8 Forensics Analysis: NTUSER.DAT Internet Explorer IE auto logon and password IE search terms IE settings Typed URLs Auto-complete passwordsġ9 Forensics Analysis - NTUSER.DAT IE explorer Typed URLsĢ0 Forensic Analysis MRU List A Most Recently Used List contains entries made due to specific actions performed by the user.
The Relative ID (RID) is used to identity the specific user on the computer system.
The Security ID (SID) is used to identify the computer system. 1 CSN08101 Digital Forensics Lecture 10: Windows Registry Module Leader: Dr Gordon Russell Lecturers: Robert LudwiniakĢ Lecture Objectives Windows Registry Structure Properties Examples Timeline Analysis Web Browsers Internet Explorer FireFoxĤ Road to Central Depository DOS config.sys & autoexec.bat Windows 3.0 INI file Windows 3.1 Start of the idea of a central repository Windows 95 and beyond Establishment and expansion of the registryĥ Understanding the Windows Registry Registry A database that stores hardware and software configuration information, network connections, user preferences, and setup information For investigative purposes, the Registry can contain valuable evidence To view the Registry, you can use: Regedit (Registry Editor) program for Windows 9x systems Regedt32 for Windows 2000 and XPĦ Organisation and Terminology At the physical level Files called hives Located in: %SYSTEMROOT%\System32\config Keys (analogous to folders) Values (analogous to files) Hierarchy: Hives Keys Valuesĩ Hive Properties HKEY_USERS all loaded user data HKEY_CURRENT_USER currently logged on user (NTUSER.DAT) HKEY_LOCAL_MACHINE array of software and hardware settings HKEY_CURRENT_CONFIG hardware and software settings at start-up HKEY_CLASSES_ROOT contains information about application needs to be used to open filesġ1 Windows 7 Root Keys Windows 7 Root Keysġ2 Registry: A Wealth of Information Information that can be recovered include: System Configuration Devices on the System User Names Personal Settings and Browser Preferences Web Browsing Activity Files Opened Programs Executed Passwordsġ5 Windows Security and Relative ID The Windows Registry utilizes a alphanumeric combination to uniquely identify a security principal or security group.
0 kommentar(er)
