Prodiscover basic download 64 bit windows#
In fact, after writing the first edition of Windows Forensic Analysis (Syngress Publishing, published in 2007, a.k.a., WFA), it was pretty clear to me that listing Registry keys and files wasn't as effective as providing examples of Registry analysis, and of how all of these could be used together. When I sat down to write this book, I was aware that for most folks, providing spreadsheets, tables, and lists of Registry keys and values would not be an entirely effective means of communicating and sharing information about Registry analysis. Harlan Carvey, in Windows Registry Forensics, 2011 Introduction WhatInStartup: (supersedes currently available but obsolete tool, StartupRun (Strun), ). Some of the more commonly used tools for discovering these artifacts include: The number and variety of auto-start locations on the Windows operating system have led to the development of tools for automatically displaying programs that are configured to start automatically when the computer boots.
References to malware may be found in these auto-starting locations as a persistence mechanism, increasing the longevity of a hostile program on an infected computer. These auto-starting locations exist in particular folders, Registry keys, system files, and other areas of the operating system. When a system is rebooted, there are a number of places that the Windows operating system uses to automatically start programs. The value of the Registry key LastWrite times, as well as time stamps recorded within the data of various values, will be discussed through case studies in this chapter, and are also discussed in Chapter 7.Īnother aspect of Registry monitoring the digital investigator should consider is “auto-starting” artifacts. This is an important distinction, as Registry values do not have LastWrite times however, some Registry values may contain time stamps within their data that refer to some other function or action having occurred.
This can include the key being created (creation or deletion being the extreme form of modification), or subkeys or values within the key being added, deleted, or modified. This is a 64-bit FILETIME (a description of the FILETIME object can be found at ) time stamp that refers to the last time the key was modified in some way. For example, Registry keys (the folders visible in the left pane in Figure 5.1) contain subkeys and values, and also have a property referred to as the LastWrite time. It is important for analysts to understand the differences between these various objects, as they have different properties associated with them.
Registry viewed via “RegEdit.exe.”Īs you can see in Figure 5.1, the Registry is made up of keys, values, and value data.
0 kommentar(er)
