Windows Registry Forensics

Windows Registry Forensics

Volumn , Issue , 2011, Pages

  Carvey, Harlan ^a   Hull, Dave ^b  

^a Terremark Worldwide Inc   (United States)

^b NONE

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85013686818     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1016/C2009-0-63856-3     Document Type: Book

References (113)

1. Windows NT contains file system tunneling capabilities. Microsoft Support. N.p., n.d. (accessed 28.07.10). http://support.microsoft.com/kb/172190.
2. How to disable the Prefetcher component in Windows XP. Microsoft Support. (accessed 29.03.07). http://support.microsoft.com/kb/307498.
3. Support for Windows Server 2003 SP1 on Windows Storage Server 2003-based server appliances. Microsoft Support. (accessed 31.03.07). http://support.microsoft.com/kb/894372.
4. Windows registry information for advanced users. Microsoft Support. (accessed 04.02.08). http://support.microsoft.com/kb/256986.
5. Understanding and configuring registry size limit (RSL). Microsoft Support. (accessed 20.02.07). http://support.microsoft.com/kb/124594.
6. Registry size limit functionality has been removed from Windows Server 2003 and from Windows XP. Microsoft Support. (accessed 28.12.07). http://support.microsoft.com/kb/292726.
7. Registry redirector. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/aa384232(VA.85).aspx.
8. Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 edition. Microsoft Support. (accessed 21.04.08). http://support.microsoft.com/kb/869459.
9. Registry virtualization. Microsoft Developers Network. http://msdn.microsoft.com/en-us/library/aa965884(VS.85).aspx.
10. What are ControlSets? What is CurrentControlSet?. Microsoft Support. (accessed 01.11.06). http://support.microsoft.com/kb/100010.
11. File types. Microsoft Developers Network. http://msdn.microsoft.com/en-us/library/cc144148(VS.85).aspx.
12. Offline NT password & registry editor. http://pogostick.net/~pnh/ntpasswd.
13. Info: working with the FILETIME structure. Microsoft Support. (accessed 23.01.07). http://support.microsoft.com/kb/188768.
14. SystemTime structure. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/ms724950%28VA.85%29.aspx.
15. Registry value types. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/ms724884.aspx.
16. AutoRuns for Windows v10.02. Microsoft SysInternals site. (accessed 22.07.10). http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx.
17. Script Center Home Page. Microsoft. http://technet.microsoft.com/en-us/scriptcenter/default.aspx.
18. Registry key security and access rights. Microsoft. http://msdn.microsoft.com/en-us/library/ms724878(VS.85).aspx.
19. A. Schuster, Computer Forensic Blog. http://computer.forensikblog.de/en.
20. Virus alert about the Win32/Conficker worm. Microsoft Support. (accessed 8.07.10). http://support.microsoft.com/kb/962007.
21. Browse regshot Files on Sourceforge.net. SourceForge.net. http://sourceforge.net/projects/regshot/files.
22. Process Monitor v2.92. Microsoft SysInternals. http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
23. How to debug Windows Services. Microsoft Support. (accessed 2.07.10). http://support.microsoft.com/kb/824344.
24. How to turn off Windows Update feature in Windows XP. Microsoft Support. (accessed 25.01.10). http://support.microsoft.com/kb/892894.
25. AccessData Product Downloads. http://www.accessdata.com/downloads.html.
26. Technology Pathways - Computer Forensics, Digital Discovery, Auditing, Incident Response. http://www.techpathways.com/DesktopDefault.aspx?tabindex=3%26tabid=12.
27. Tools and utilities for Windows. ImDisk Virtual Disk Driver. http://www.ltr-data.se/opencode.html#ImDisk.
28. ASR Data - Smart Mount. http://www.asrdata.com/SmartMount.
29. Binary Intelligence: Run RegRipper against a mounted drive. (accessed 14.05.10). http://www.binint.com/2010/05/run-regripper-against-mounted-drive.html.
30. NSSA Documentation: RegRipper, RegView, and Bluetooth Registry Settings.Blog post, 7 Oct 2008, . http://nssadoc.blogspot.com/2008/10/regripper-regview-and-bluetooth.html.
31. Security Ripcord ----------gt;----------gt; Scripts and Tools. http://www.cutawaysecurity.com/blog/scripts-and-tools.
32. Open Perl IDE. http://open-perl-ide.sourceforge.net.
33. EPIC - Eclipse Perl Integration. http://www.epic-ide.org.
34. Security Identifier. Wikipedia, . http://en.wikipedia.org/wiki/Security_Identifier.
35. How to determine audit policies from the Registry. Microsoft Support. (accessed 01.11.06). http://support.microsoft.com/kb/246120.
36. Offline NT Password& Registry Editor. http://www.pogostick.net/~pnh/ntpasswd.
37. How to use the UserAccountControl flags to manipulate user account properties. Microsoft Support. (accessed 03.12.07). http://support.microsoft.com/kb/305144.
38. Live View. http://liveview.sourceforge.net.
39. How to use the SysKey utility to secure the Windows Security Accounts Manager database. Microsoft Support. (accessed 30.10.06). http://support.microsoft.com/kb/310105.
40. Tarasco Security: Password Dumper - PWDump 7 for Windows. http://www.tarasco.org/security/pwdump_7.
41. oxid.it - Cain & Abel. http://www.oxid.it/cain.html.
42. LM Hash. Wikipedia, . http://en.wikipedia.org/wiki/LM_hash.
43. NTLM. Wikipedia, . http://en.wikipedia.org/wiki/NTLM.
44. How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases. Microsoft Support. (accessed 03.12.07). http://support.microsoft.com/kb/299656.
45. Hacking Case. NIST. http://www.cfreds.nist.gov/Hacking_Case.html.
46. How to turn on automatic logon in Windows XP. Microsoft Support. (accessed 10.06.08). http://support.microsoft.com/kb/315231.
47. OphCrack. SourceForge. http://ophcrack.sourceforge.net.
48. SAMInside. InsidePro.com. (accessed 25.08.10). http://www.insidepro.com/eng/saminside.shtml.
49. L0phtCrack6. L0phtCrack.com. http://www.l0phtcrack.com.
50. What are ControlSets? What is CurrentControlSet? Microsoft Support. (accessed 1.11.06). http://support.microsoft.com/kb/100010.
51. CurrentControlSet\Services Subkey Entries. Microsoft Support. (accessed 11.12.06). http://support.microsoft.com/kb/103000.
52. A description of SvcHost.exe in Windows XP Professional Edition. Microsoft Support. (accessed 10.12.07). http://support.microsoft.com/kb/314056.
53. SANS Computer Forensic Investigation and Incident Response. http://blogs.sans.org/computer-forensics.
54. TrueCrypt. http://www.truecrypt.org.
55. Windows 7, Windows 2008 R2, and Windows Vista setup log file locations. Microsoft Support. (accessed 15.3.07). http://support.microsoft.com/kb/927521.
56. Microsoft Word bites Tony Blair in the butt. http://www.computerbytesman.com/privacy/blair.htm.
57. Registry Entries for Printing. Microsoft Support. (accessed 26.11.07). http://support.microsoft.com/kb/102966.
58. Windows Firewall. Microsoft TechNet. http://technet.microsoft.com/en-us/network/bb545423.aspx.
59. FakeAlert-Winwebsecurity. McAfee. http://vil.nai.com/vil/content/v_153577.htm.
60. Trojan-Proxy.Win32.Mitglieder.ee. SecureList. http://www.securelist.com/en/descriptions/old126765.
61. Exploring the windows firewall. Microsoft TechNet. http://technet.microsoft.com/en-us/magazine/2007.06.vistafirewall.aspx.
62. The "netsh firewall" command together with the "profile=all" parameter does not configure the public profile on a Windows Vista-based computer. Microsoft Support. (accessed 1.02.08). http://support.microsoft.com/kb/947213.
63. How to use the "netsh advfirewall firewall" context instead of the "netsh firewall" context to control Windows Firewall behavior in Windows Server 2008 and in Windows Vista. Microsoft Support. (accessed 5.12.08). http://support.microsoft.com/kb/947709.
64. Microsoft TCP/IP Host name resolution order. Microsoft Support. http://support.microsoft.com/kb/172218.
65. 'P' Switch for route command added to Windows, Microsoft Support. (accessed 20.02.07). http://support.microsoft.com/kb/141383.
66. NtfsDisableLastAccessUpdate. Microsoft Technet. http://technet.microsoft.com/en-us/library/cc758569%28WS.10%29.aspx.
67. NtfsDisable8dot3NameCreation. Microsoft TechNet. http://technet.microsoft.com/en-us/library/cc959352.aspx.
68. How to clear the Windows paging file at shutdown. Microsoft Support. (accessed 20.07.10). http://support.microsoft.com/kb/314834.
69. Internet Explorer file downloads over SSL do not work with the cache control headers. Microsoft Support. (accessed 15.11.07). http://support.microsoft.com/kb/323308.
70. HTTP/1.1 Header Field Definitions. W3.org. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html.
71. Robert Hensing's Blog. Microsoft TechNet Blogs. 15 November 2006, . http://blogs.technet.com/b/robert_hensing.
72. Definition of the RunOnce Keys in the Registry. Microsoft Support. (accessed 19.01.07). http://support.microsoft.com/kb/137367.
73. Registry changes in x64-based versions of Windows Server 2003 and in Windows XP Professional x64 Edition. Microsoft Support. (accessed 21.04.08). http://support.microsoft.com/kb/896459.
74. Registry keys affected by WOW64. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/aa384253%28VS.85%29.aspx.
75. INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup. Microsoft Support. (accessed 21.11.06). http://support.microsoft.com/kb/179365.
76. Registry Entries. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/aa379402%28VS.85%29.aspx.
77. Generic Downloader.z!1516DDBD. McAfee. http://vil.nai.com/vil/content/v_149604.htm.
78. How to debug Windows Services. Microsoft Support. http://support.microsoft.com/kb/824344.
79. How to turn off the Windows Update feature in Windows XP. Microsoft Support. 28 January 2005, (accessed 28.01.05). http://support.microsoft.com/kb/892894.
80. Using image file execution options as an attack vector on Windows. , 2005. http://silverstr.ufies.org/blog/archives/000809.html.
81. A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm. Microsoft Support. (accessed 24.08.10). http://support.microsoft.com/kb/2264107.
82. Dynamic-Link Library Search Order. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/ms682586.
83. Malware Persistence without the Windows Registry. blog, 15 July 2010, . http://blog.mandiant.com/archives/1207.
84. REG: CurrentControlSet Entries PART 2: SessionManager. Microsoft Support. (accessed 1.11.06). http://support.microsoft.com/kb/102985.
85. INFO: Windows NT/2000/XP Uses KnownDLLs registry entry to find DLLs. Microsoft Support. (accessed 21.11.06). http://support.microsoft.com/kb/164501.
86. User Profile Structure. Microsoft TechNet. http://technet.microsoft.com/en-us/library/cc775560%28WS.10%29.aspx.
87. Well-known security identifiers in Windows operating systems. Microsoft Support. (accessed 12.01.10). http://support.microsoft.com/kb/243330.
88. How to Associate a Username with a Security Identifier (SID). Microsoft Support. (accessed 27.02.07). http://support.microsoft.com/kb/154599.
89. The "Set roaming profile path for all users logging onto this computer" Group Policy setting also applies to local user accounts in Windows Server 2008. Microsoft Support. (accessed 21.10.08). http://support.microsoft.com/kb/958736.
90. How to Prevent a User from Changing the User Profile Type. Microsoft Support. (accessed 21.02.07). http://support.microsoft.com/kb/150919.
91. 2.2.11 User Account Control. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/cc232771%28v=PROT.10%29.aspx.
92. WCZ_WLAN_CONFIG. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/aa448338.aspx.
93. SYSTEMTIME. Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/aa908737.aspx.
94. Unnamed, Perl script by Joshua D. Abraham, . http://spl0it.org/files/bssid-location.pl.
95. The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP. Microsoft Support. http://support.microsoft.com/?kbid=890830.
96. Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment. Microsoft Support. http://support.microsoft.com/kb/891716.
97. SANS Computer Forensic Investigation and Incident Response. SANS Forensic Blog. 16 August 2010, . https://blogs.sans.org/computer-forensics.
98. How to limit the maximum size of the Scheduled Tasks Log File. Microsoft Support. (accessed 3.12.07). http://support.microsoft.com/kb/169443.
99. Changes to Shell Open Command. About.Com: AntiVirus Software. http://antivirus.about.com/od/windowsbasics/a/shellopen.htm.
100. You cannot start programs when your computer is infected with the SirCam virus. Microsoft Support. (accessed 29.03.07). http://support.microsoft.com/kb/311446.
101. Abusing Image File Execution Options. SANS Internet Storm Center blog. 28 February 2008, . http://isc.sans.edu/diary.html?storyid=4039.
102. A definition of the Run keys in the Windows XP registry. Microsoft Support. 1 December 2007, . http://support.microsoft.com/kb/314866.
103. My view settings or customizations for a folder are lost or incorrect. Microsoft Support. 15 July 2009, (accessed 15.07.09). http://support.microsoft.com/kb/813711.
104. Y. Zhu, P. Gladyshev, J. James, Using shellbag information to reconstruct user activities, Digit. Invest. 6 (Supp. 1) (2009). http://cci.ucd.ie/content/using-shellbag-information-reconstruct-user-activities.
105. TraceHunter. The UCD Centre for Cybercrime Investigation. http://cci.ucd.ie/tracehunter.
106. Didier Stevens. http://blog.didierstevens.com/programs/userassist/.
107. INSECURE-Mag-10.pdf. [IN]SECURE Mag. (10) (2007). (issue 10, pp. 72-77, last accessed 3.11.2010). http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf.
108. ITEMIDLIST structure. Microsoft Developer Network. (accessed 19.10.2010). http://msdn.microsoft.com/en-us/library/bb773321%28VS.85%29.aspx.
109. WD2000: general information about Word 2000 instrumented version. Microsoft Support. (accessed 23.10.02). http://support.microsoft.com/kb/239062.
110. Policy settings for the Start menu in Windows XP. Microsoft Support. (accessed 02.07.10). http://support.microsoft.com/kb/292504.
111. MojoPac. Wikipedia, . http://en.wikipedia.org/wiki/MojoPac.
112. MokaFive. Wikipedia, . http://en.wikipedia.org/wiki/MokaFive.
113. How to remove entries from the remote desktop connection computer box. Microsoft Support. (accessed 01.11.06). http://support.microsoft.com/kb/312169.