Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Forensics Windowsregistry Cheat Sheet 161221024032

    Încărcat de

    Narayan
    162 vizualizări1 pagină
    Registry CheatSheet

    Titlu original

    Forensics Windowsregistry Cheat Sheet 161221024032 (2)

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Registry CheatSheet

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    162 vizualizări1 pagină

    Forensics Windowsregistry Cheat Sheet 161221024032

    Încărcat de

    Narayan
    Registry CheatSheet

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 1

    \5001 Search the Internet

    \Software\Microsoft\Search \5603 All or part of the filename


    XP Search History
    Assistant\ACMru \5604 A word or pase in a file

    \5647 Computers or people

    \Software\Microsoft\Windows\Curre
    Recent Docs
    ntVersion\Explorer\RecentDocs

    Word FileMRU

    10 Excel

    PowerPoint
    Oce Recent Docs \Software\Microsoft\
    11

    12

    14

    Last path of file Opened


    (KEY) SAM HKEY_LOCAL_MACHINE\SAM Executable Used
    LastVisited
    (KEY) SECURITY HKEY_LOCAL_MACHINE\Security LastVisitedMRU
    \Software\Microsoft\Windows\Curre
    (KEY) SYSTEM HKEY_LOCAL_MACHINE\System Hives ntVersion\Explorer\ComDI32\ LastVisitedPid1MRU
    Dialog Boxes
    (KEY) SOFTWARE HKEY_LOCAL_MACHINE\Software Save File Dialog Box
    (KEY) NTUSER.DAT HKEY_USER NTUSER.DAT Open File Dialog Box
    OpenAndSave
    RegRipper OpenSaveMRU
    Tools \Software\Microsoft\Windows\Curre
    Recover delete Yaru ntVersion\Explorer\ComDI32\ OpenSavePidMRU
    SAM Software\Microsoft\Windows\Curre
    ntVersion\Explorer\RunMRU\
    SECURITY
    Comands Executed Software\Microsoft\Windows\Curre
    SYSTEM %WinDir%\System32\Config ntVersion\Explorer\Policies\RunMR
    SOFTWARE U\
    Ubication
    DEFAULT Software\Microsoft\Windows\Curre
    Windows Registry Evidence ntVersion\Explorer\UserAssist\
    (XP) Documents and Settings\<username>\NTUSER.dat {GUID}\Count
    NTUSER.dat
    (Vista,Win7 y 8) Users\<username>\NTUSER.dat encoged ROT-13

    (Vista,Win7 y 8) Users\<username> \NTUSER.dat USRCLASS.dat Last run time

    %WinDir%\System32\Config\RegBack Backup Run count

    Time UTC Every Key has Last Write Time TimeStamps Program Executed RUNPATH

    Most Recent Used MRUList RUNCPL

    Key value for Keep track most RUNPIDL


    recent additions UEME_
    UIQCUT
    Properties
    Knowing the exact order will aid in MRU
    UISCUT
    determing the order of activity MRUList
    UITOOLBAR
    Last write time of the Key will be
    the time the first MRUlist entry Microsoft\Windows
    value occurred SOFTWARE OS Version
    NT\CurrentVersion

    \CurrentControlSet\Control\Comput
    Computer Name
    erName\ComputerName

    ControlSet00x
    CurrentControlSet
    \Select\Current

    \CurrentControlSet\Services\Tcpip\
    Network interfaces
    Parameters\Interfaces

    \CurrentControlSet\Control\TimeZo
    SYSTEM neInformation

    UTC = Local Time + ActiveTimeBias


    Time Zone
    Local Time = UTC - ActiveTimeBias
    Formulas
    Standard Time = Bias + StandardBias

    Daylight Time = Bias + DaylightBias

    \CurrentControlSet\Control\TimeZo
    Time Zone Information
    neInformation

    S-ar putea să vă placă și