• @dfirelabs
  • +353 1 254 4707

Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry

Pavel Gladyshev      3

Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices. Modern forensic literature and tools do not reflect these changes – hence this post.

WindowsRegistryForensics.zip

 

 

3 Comments

  • Habeeb

    November 2, 2012 at 8:09 am

    Thank you for sharing your observations and Learning.

  • Jason Farina

    November 9, 2012 at 2:58 pm

    Thanks. a very interesting read and I look forward to playing with the bash scripts :)

    Daniel Beaulieu

    August 11, 2013 at 2:22 am

    Daniel Beaulieu

    I cannot thanks enough for that article.Really thank you!

Leave a Reply


*