ACCESSDATA SUPPLEMENTAL APPENDIX

ACCESSDATA SUPPLEMENTAL APPENDIX Important: At the time of this writing, most of the information contained in this paper is not published by Microsoft and is based on personal research. As such, please consider validating these results prior to relying on them as the basis for any conclusions. Please keep in mind that, as with all Windows artifact behavior, the information contained in this paper is subject to change at any time. In addition to the conditions stated below, there may be additional user actions that may contribute to these entries. This appendix reviews common locations in the Windows and Windows Internet-related registries where you can find data of forensic interest. Information on page 2 SAM Information on page 19 SECURITY Information on page 21 Information on page 21 Information on page 28 Note: Under the column, an XP indicates that this information is found in XP. A V references Vista, and a 7 references Windows 7 in its first release. If no notation is made in the column, it means this was found in XP, but not tested in other versions. 9-25-10 2010 AccessData Group, LLC. All Rights Reserved 1

2 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 INFORMATION Access 2007 MRU Access 2007 MRU Dates Access Recent Databases \Software\Microsoft\ Office\12.0\Access\ Settings \Software\Microsoft\ Office\12.0\Access\Settings \Software\Microsoft\offic e\version\ Common\Open Find\ Microsoft Office Access\Settings\ File New Database\File Name MRU MRU list for MS Access Database files (MRU1-MRU9). Tracks date of last access associated with MRU1-9 (MRUDate1- MRUDate9). Microsoft Access* recent databases in the value value. Adobe \Software\Adobe\* Lists Adobe products such as Acrobat* and FrameMaker*. AIM \Software\America Online\AOL InstantMessenger\ Current\Users\ username AIM Away Messages AIM File Transfers & Sharing \Software\America Online\AOL Instant Messenger(TM)\ Current\Users\screen name\ IAmGoneList \Software\America Online\AOL Instant Messenger\ Current\Users\screen name\ Xfer Lists IM contacts, file transfer information, etc. Shows default and customized Away messages. Shows settings for file transfers and sharing. database is closed database is closed Office 2007 Office 2007 Pre Office 2007 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 3 AIM Last User AIM Profile Info AIM Recent Contacts AIM Registered Users AIM Saved Buddy List Application Information Autorun USBs, CDs, DVDs \Software\America Online\AOL Instant Messenger (TM)\ Current\Login - Screen Name \Software\America Online\AOL Instant Messenger\ Current\Users\screen name\direntry \Software\America Online\AOL Instant Messenger\ Current\users\ username\ recent IM ScreenNames \Software\America Online\AOL Instant Messenger\ Current\Users \Software\America Online\AOL Instant Messenger\ Current\Users\username\Config Transport \Software\%Application Name% \Software\Microsoft\ Windows\ Current\Explorer\ AutoplayHandlers / DisableAutoplay Shows the screen name of the last logged-in user. Shows user profile information (optional). Shows a list of recently contacted buddies. Shows registered AIM users on the machine. Shows the directory path of a saved Buddy List, a BLT file. This class of registry keys contains the information each application stores in the registry. 0=Enabled 1=Disabled At login the application closes. At sign-on NA N/A XP, V

4 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 BitLocker To Go \Software\Microsoft\ Windows\Current\ FveAutoUnlock\<guid> CD Burning \Software\Microsoft\ Windows\Current\Explorer\ CD Burning\Drives\Volume<guid>\ Current Media CD Burning \Software\Microsoft\ Windows\Current\Explorer\ CD Burning\ Current Media / Disc Label Chat Rooms \Software\Yahoo\Pager\ profiles\screen name\chat Converted Wallpaper Converted Wallpaper Drives mounted by user Indicates the user-selected Remember a USB setting to bypass entering the password on this system. May show previous CD/DVD volume names inserted under Disc Label value. Normally, removes volume name on dismount. Current Media subkey created upon mounting drive. Removed on dismount. Shows information for chat rooms visited or created. \\Control Panel\Desktop Identifies graphics that are converted to wallpaper. \\Control Panel\Desktop Identifies date and time of converted wallpaper. \Software\Microsoft\ Windows\ Current\Explorer\ MountPoints2\<guid> Track the GUID from the MountedDevices GUID in the file Upon selecting, recognize the drive on this machine 7 N/A V, 7 Upon mounting and dismounting XP XP, V, 7 XP, V, 7 XP, V, 7 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 5 EFS \Software\Microsoft\ WindowsNT\Current\EFS\ CurrentKeys Excel 2007 Autosave Info Excel 2007 MRU Excel Recent Spreadsheets File Extension Associations File Extensions\ Program Association \Software\Microsoft\ Office\12.0\Excel\ Resiliency\ Document Recovery\<id#> \Software\Microsoft\ Office\12.0\Excel\ File MRU \Software\Microsoft\ office\version\ Common\Open Find\ Microsoft Office Excel\Settings\ Save As\File Name MRU \Software\Microsoft\ Windows\ Current\Explorer\ FileExts\.EXT Type \Software\Microsoft\ Windows\Current\Explorer\ FileExts Lists the current user s certificate thumbprint. (Each user has a unique certificate thumbprint.) The same certificate thumbprint is contained in the $EFS alternate data stream for every EFS file encrypted by the current user. Saves info about currently opened Excel documents. MRU List for MS Excel spreadsheets (Item1-Item50). Note: The 2nd bracketed number is a 64-bit date/time stamp of when the document was opened. Microsoft Excel recent spreadsheets in the value value. Lists file extension associations and files that have been opened with the Open With command. Identifies associated programs with file extensions. document is opened and when saves are made document is opened Office 2007 Office 2007 Pre Office 2007 XP, V, 7 XP, V, 7

6 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Folders - Stream MRUs \Software\Microsoft\ Windows\ Current\ Explorer\StreamMRU FTP \Software\Microsoft\FTP\ Accounts\ <address> Google Client History \Software\Google\ NavClient\1.1\History Info on stored folders. XP Local FTP accounts. Contains a list of search terms with date and time stamps if Google is included in the Internet Explorer task bar. ICQ \Software\Mirabilis\ICQ\* Lists IM contacts, file transfer information, etc. ICQ Last User ICQ Nickname ICQ Registered Users IE Auto Logon and password IE Auto Complete Passwords \Software\Mirabilis\ICQ\ Owners - LastOwner \Software\Mirabilis\ICQ\ Owners\UIN - Name \Software\Mirabilis\ICQ\ Owners\UIN \Software\Microsoft\ Protected Storage System Provider\ SID\Internet Explorer\Internet Explorer - URL: StringData \Software\Microsoft\ Internet Explorer\IntelliForms Shows the last logged-in user. Nickname of user (optional value). UIN folder is named for the user. Stores IE auto logon IDs and passwords with date and time stamp. Stores web page auto-complete passwords. These are encrypted values. NA At logon At logon At logon IE6 and below IE6 and below AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 7 IE Auto Complete Web Addresses IE Cleared Browser History on/off IE Default Download Directory IE Favorites List IE History Status IE IntelliForms IE Search Terms \Software\Microsoft\ Protected Storage System Provider \Software\Microsoft\ Internet Explorer\ Privacy / ClearBrowserHistoryOnExit \Software\Microsoft\ Internet Explorer \Software\Microsoft\ Windows\Current\Explorer\ MenuOrder\ Favorites\ <favoritesfoldername> \Software\Microsoft\ Windows\ Current\Internet Settings\ 5.0\Cache\Extensible Cache\ <mshistfoldernames> \Software\Microsoft\ Internet Explorer\ IntelliForms \Software\Miscrosoft\ Protected Storage System Provider\ SID\Internet Explorer\ Internet Explorer - q:stringindex Lists web pages wherein autocomplete was utilized. 0=Off (default) 1=On Privacy subkey appears only on first change by user. Identifies the default download directory when utilizing Internet Explorer. Lists favorites from IE Favorites drop down selector. Mirrors existing history folder storage hidden from the user in the history files. Encrypted user data in Storage1 and Storage2 (old PSSP info) Stores IE search terms with date and time stamp. Upon changing value in GUI IE6 and below XP, V, 7 All IE7 and above IE6 and below

8 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 IE Settings \Software\Microsoft\ Internet Explorer\ Main IE Typed URLs IE URL History Days Saved IE Web Form Data IM Contact List IM File Sharing IM File Transfers IM File Transfers \Software\Microsoft\ Internet Explorer\Typed URLs \Software\Microsoft\ Windows\Current\Internet Settings\URL History - DaysToKeep \Software\Microsoft\Prot ected Storage System Provider\SID\ Internet Explorer\Internet Explorer - q:stringindex \Software\Microsoft\ MessengerService\ListCache\.NET Messenger Service \Software\Microsoft\ MSNMessenger\FileSharing - Autoshare \Software\Microsoft\ Messenger Service - FtReceiveFolder \Software\Microsoft\ MSNMessenger\- FTReceiveFolder IM Last User \Software\Microsoft\ MessengerService\ListCache\.NET Messenger Service - IdentityName Stores IE settings such as start page, save directory, home page, and download location. Stores data entered into the URL Address Bar. The number of days the system stores URLs visited in IE. The default is 20 days. the application closes Through IE8 Through IE8 Through IE8 Stores form data provided within IE. IE6 and below Contains Contact, Allow, Block, and Reverse entries. Shows if file sharing is turned on. Shows the location of the Received Files folder. Shows the location of the Received Files folder. Screen name of last logged-in user. At sign-off At sign-off AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 9 IM Logging Enabled IM Message History IM MSN Messenger IM Saved Contact List \Software\Microsoft\MSN Messenger\PerPass portsettings\ ##########\- MessageLoggingEnabled \Software\Microsoft\MSN Messenger\PerPass portsettings\ ##########\- MessageLog Path \Software\Microsoft MessengerService\ ListCache\.NET MessngerService\* \Software\Microsoft\ Messenger Service - ContactListPath IMV Usage \Software\Yahoo\Pager\ IMVironments (global value) IMVs MRU list Jump List on Taskbar S\oftware\Yahoo\Pager\ profiles\screen name\imvironments (user- specific value) \Software\Microsoft\ Windows\ Current\Explorer\ Taskband / Favorites and FavoritesResolve Shown if message logging is turned on. Shows the location of message history files. Contains IM groups, contacts, file transfer information, etc. for MSN Messenger. Shows the location of a saved Contact List (CTT) file. Shows usage of IMVironments. Shows usage of IMVironments. Shows applications pinned to the taskbar. Retains removed applications. Kazaa \Software\Kazaa\* Stores configuration, search, download, IM data, etc. for Kazaa. Map Network Drive MRU \Software\Microsoft\ Windows\Current\Explorer\ Map Network Drive MRU Contains a most recently used list of mapped network drives. Most on signoff; however, FTReceive is immediate. Upon pinning 7 NA

10 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Media Player Recent List MRU Last Visited MRU Open Saved MRU Recent Documents MRU Run MRU MRUs - Common Dialog \Software\Microsoft\ MediaPlayer\Player\ RecentFileList \Software\Microsoft\ Windows\Current\Explorer\ ComDlg32\ \Software\Microsoft\ Windows\ Current\Explorer\ ComDlg32\OpenSaveMRU \Software\Microsoft\ Windows\ Current\Explorer\ RecentDocs\ \Software\Microsoft\ Windows\Current\Explorer\ RunMRU \Software\Microsoft\ Windows\ Currents\Explorer\ ComDlg32 MUICache \Software\Microsoft\ Windows\Shell\MUICache MUICache - XP \Software\Microsoft\ Windows\ShellNoRoam\MUICache Contains the user's most recently used list for Windows Media Player. Lists the application and filename of the most recent files opened in Windows. Lists the filename and path of the most recent files saved or copied to a specific location in Windows. Identifies the documents in the Recent Documents list available from the Windows Start menu. Lists the most recent commands entered in the Windows Run box. Last Visited=Application Used OpenSaveMRU=Recent Docs using the Microsoft Save As Dialog Box Tracks the opening of executable files by the operating system. Note: In Windows 7, MUICache moved from to HKCR\LocalSettings\MuiCache. Tracks the opening of executable files by the operating system XP, V, 7 XP, V, 7 XP, V, 7 XP, V, 7 XP, V, 7 V XP AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 11 Network - Computer Description Network - Mapped Network Drive MRU Network - Workgroup Crawler Outlook Account Passwords Outlook Recent Attachments Outlook Temporary Attachment Directory \Software\Microsoft\ Windows\Current\Explorer\ ComputerDescriptions \Software\Microsoft\ Windows\Current\Explorer\ Map Network Drive MRU \Software\Microsoft\ Windows\Current\Explorer\ WorkgroupCrawler\Shares \Software\Microsoft\ Protected Storage SystemProvider\SID\ Identification\INETCOMM Server Passwords \Software\Microsoft\ office\version\ Common\Open Find\ Microsoft Office Outlook\Settings\Save Attachment\File Name MRU \Software\Microsoft\ Office\version\ Outlook\Security Paint MRU \Software\Microsoft\ Windows\Current\Applets\ Paint\Recent File List Network connections N/A Listed by drive letter XP, V, 7 Network connections crawled while connected. Stores Outlook and Outlook Express account passwords. N/A Microsoft Outlook recent documents. Identifies the location where attachments are stored when they are opened from Outlook. MRU for MS Paint documents (File1- File9) Upon closing the application XP, V, 7

12 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 POP3 Passwords PowerPoint 2007 Autosave Info PowerPoint 2007 MRU PowerPoint Recent PPTs Printer Default Printer Default \Software\Microsoft\ Internet Account Manager\Accounts\ 0000000# \Software\Microsoft\ Office\12.0\ PowerPoint\Resiliency\ DocumentRecovery\<id#> S\oftware\Microsoft\ Office\12.0\ PowerPoint\File MRU \Software\Microsoft\ office\version\ Common\Open Find\ Microsoft Office PowerPoint\Settings\ Save As\File Name MRU \Software\Microsoft\ WindowsNT\Current\Windows Identifies the current user s POP3 passwords. Note: # is a digit identifying that particular account. Saves info about currently opened PowerPoint documents. MRU List for MS PowerPoint spreadsheets (Item1-Item50). Note: The second bracketed number is a 64-bit date/time stamp of when the document was opened. Microsoft PowerPoint recent documents. document is opened and when saves are made document is opened XP Office 2007 Office 2007 Unknown Pre Office 2007 Identifies the current default printer. XP, V, 7 \\printers Identifies the current default printer. On shutdown XP, V, 7 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 13 Publisher 2007 MRU Publisher Recent Documents Recycle Bin Info Regedit - Favorites Regedit - Last Key Saved \Software\Microsoft\ Office\12.0\Publisher\Recent File List \Software\Microsoft\ office\version\ Common\Open Find\ Microsoft Office Publisher\Settings\ Save As\File Name MRU \Software\Microsoft\ Windows\Current\Explorer\ BitBucket\ Volume\<guid> \Software\Microsoft\ Windows\ Current\ Applets\Regedit\ Favorites \Software\Microsoft\ Windows\ Current\Applets\ Regedit / LastKey Run \Software\Microsoft\ Windows\Current\Run MRU List for MS Publisher documents (File1-File9). Microsoft Publisher recent documents. Tracks recycle bin info by GUID (track GUID back to MountedDevices in the file), Max Capacity in MB, NukeOnDelete. 0=Bin being used (default) 1= Bin is being bypassed Displays user selected favorites in Regedit Utility. Displays last subkey Regedit was on when closed down Lists programs that run automatically when the user logs on. document is opened Office 2007 Unknown Pre Office 2007 N/A V, 7 after entering Upon closing Regedit. XP, V, 7 XP, V, 7

14 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Screen Saver Enabled Screen Saver Password Enabled Screen Saver Timeout Screen Savers and wallpaper \Control Panel\Desktop / ScreenSaveActive \Control Panel\Desktop / ScreenSaverIsSecure \Control Panel\Desktop / ScreenSaveTimeOut 1=Active 0=Disabled The path/name displays at SCRNSAVE.EXE. Note: In Windows 7, ScreenSaveActive retains a 1 whether enabled or not, but the path/name appears on enable and disappears on disable. 0=No Password Required 1=Password Required if screen saver is active Length of time, in seconds, before the screen saver becomes active. \Control Panel\Desktop\ Identifies the system s screen saver and wallpaper. ShellBags \Software\Microsoft\ Windows\Shell\ BagMRU Start Menu Program List \Software\Microsoft\ Windows\Current\Explorer\ MenuOrder\ Programs\<appname> Pointers to link history and other file and folder information. Program listing drawn to the Start button. XP, V, 7 XP, V, 7 XP, V, 7 XP, V, 7 NA N/A XP XP AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 15 Start Searches entered by user Start Searches entered by user Startup Software Startup Software Theme Current Theme Theme Last Theme Type Paths into Windows Explorer \Software\Microsoft\ Windows\ Current\Explorer\ WordWheelQuery \Software\Microsoft\ SearchAssistant\ ACMru\<5###> \Software\Microsoft\ Windows\ Current\Run \Software\Microsoft\ Windows\Current\RunOnce \Software\Microsoft\ Windows\Current\Themes \Software\Microsoft\ Windows\Current\Themes\ Last Theme \Software\Microsoft\ Windows\Current\Explorer\ TypedPaths In Windows 7, traps search terms entered by the user in the Start > Search box. Searches from the built-in search engine. 5001=Internet Searches 5603=Files and Folders 5604=Pictures and Music 5647=Computers and People Stores the applications automatically launched at boot time. This key is a good place to look for trojans. Stores the applications automatically launched at boot time. This key is a good place to look for trojans. Identifies the Desktop theme and wallpaper. Identifies the Desktop theme and wallpaper. User typed (or pasted) paths into Windows Explorer address bar After hitting the enter button. 7 XP Unknown XP, V, 7 Upon hitting <Enter>. XP, V 7

16 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 UserAssist \Software\Microsoft\ Windows\ Current\Explorer\ UserAssist\<guid> UserAssist \Software\Microsoft\ Windows\Current\Explorer\ UserAssist\ <guid> Windows Explorer Settings WinZip - Accessed Archives WinZip - Extraction MRU WinZip - Location Extracted To WinZip - Registered User \Software\Microsoft\ Windows\ Current\Explorer\ Advanced \Software\Nico Mak Computing\filemenu / filemenu## \Software\Nico Mak Computing\ Extract / extract# \Software\Nico Mak Computing\ Directories / ExtractTo \Software\Nico Mak Computing\ WinIni / Name 1 Application usage showing last access and number of launches of applications. Note: GUID 750 is used in versions 2000, XP, and Vista. Application usage showing last access and number of launches of applications. Note: Change to GUID F4E in Windows 7 for application launch info. 7 XP, V Sets Windows Explorer preferences. XP, V, 7 Path back to accessed Zip archives 11.1 The path to which Zip archives are extracted. Last location to which a Zip archive was extracted. 11.1 11.1 Registered user for installation N/A 11.1 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 17 WinZip - Temp File WinZip - Zip Creation Location WinZip - Zip Creation Location Word 2007 Autosave Info Word 2007 MRU Word Recent Docs Word User Info \Software\Nico Mak Computing\ Directories / ZipTemp \Software\Nico Mak Computing\ Directories / AddDir \Software\Nico Mak Computing\ Directories / DefDir \Software\Microsoft\ Office\12.0\Word\ Resiliency\Document Recovery\<id#> \Software\Microsoft\ Office\12.0\Word\ File MRU \Software\Microsoft\ office\version\ Common\Open Find\ Microsoft Office\Word\Settings\Save As\File Name MRU \Software\Microsoft\ office\version\ Common\UserInfo WinZip temporary file location N/A 11.1 Last location from which a Zip file was created. Last location to which a Zip file was created or opened. Saves info about currently opened Word documents. MRU List for MS Word documents (Item1-Item50). Note: The second bracketed number is a 64-bit date/time stamp of when document was opened. Microsoft Word recent documents in the value value. Identifies the user information entered when installing Microsoft Office. Note this information may be modified after installation. 11.1 11.1 document is opened and when saves are made document is opened Office 2007 Office 2007 Unknown Pre Office 2007 Unknown Pre Office 2007

18 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 WordPad MRU \Software\Microsoft\ Windows\Current\Applets\ Wordpad\Recent File List Yahoo! \Software\Yahoo\Pager\ Profiles\* Yahoo! File Transfers Yahoo! File Transfers Yahoo! Identities Yahoo! Last User Yahoo! Message Archiving Yahoo! Password Yahoo! Recent Contacts Yahoo! Saved Password \Software\Yahoo\Pager\ File Transfer (global value) \Software\Yahoo\Pager\pr ofiles\ screen name\filetransfer (user specific) \Software\Yahoo\Pager\ profiles\screen name - All Identities, Selected Identities \Software\Yahoo\ Pager - Yahoo! User ID \Software\Yahoo\Pager\ profiles\screen name\archive \Software\Yahoo\ Pager - EOptions string \Software\Yahoo\Pager\ profiles\screen name\imvironments\ Recent \Software\Yahoo\ Pager - Save Password MRU for MS Paint documents (File1- File9). Stores IM contacts, file transfer information, etc. for Yahoo!. document is closed NA Shows number of transfers in and out. Shows settings for file transfers. Shows alternate user identities. Last logged-in user. Shows settings for message archiving. Encrypted password. Shows recent contacts and which IMV was used. Shows if the password is saved. Unknown XP, V, 7 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 19 Yahoo! Screen Names SAM INFORMATION \Software\Yahoo\Pager\ profiles\screen name Shows registered screen names and identities. Yserver \Software\Yahoo\Yserver Points to a directory location for file transfer information. Account Expiration SAM SAM\Domains\Account\Users\F Key Bytes 33-40 store the account expiration. If no expiration is set, FF FF FF FF shows. Group Names - Custom SAM SAM\Domains\Account\Aliases\Names List of custom groups by name. NA XP, V, 7 Group Names - Local SAM SAM\Domains\Builtin\Aliases\Names List of local group names. XP, V, 7 Groups - Custom SAM SAM\Domains\Account\Aliases\<rid> List of custom groups by RID. XP, V, 7 Groups - Local SAM SAM\Domains\Builtin\Aliases\<rid> Listed of local groups by RID. XP, V, 7 Home Group SAM SAM\SAM\Domains\Account\Users - Home Group in RID and Names Last Failed Login SAM SAM\Domains\Account\Users\F Key Bytes 41-48 store the last unsuccessful logon. Last Logon Time SAM SAM\Domains\Account\Users\F Key Bytes 9 16 store the last logon time. N/A 7

20 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Last Time Password Changed SAM SAM\Domains\Account\Users\F Key Bytes 25 32 store the last time the password was changed. Local Groups SAM SAM\Domains\Builtin\Aliases\Names Lists local account security identifiers. Local Users SAM SAM\Domains\Account\Users\Names Lists local account security identifiers. Machine SID Location SAM SAM\Domains\Account / V Last twelve bytes of the V value. Password Hint SAM SAM\Domains\Account\Users\<RID>\ F_Value\UserPasswordHint User Name and SID SAM SAM\Domains\Account\Users\V Key Note: See User Name and SID in Information on page 21. Shows a logon password hint if initiated by the user Contains the username and SID in hex. You must convert the last three hex numbers to decimal to determine the decimal version of the SID that is used in the Recycler and System Volume Information folder. V, 7 AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 21 SECURITY INFORMATION Passwords Cached Administrative Passwords Passwords Cached Domain Passwords SECURITY INFORMATION SECURITY\Policy\Secrets\ DefaultPassword / CurrVal and OldVal CurrVal holds the current administrative password and OldVal holds the previous. SECURITY SECURITY\Cache / NL$# Default stores up to 10 set in file. N/A XP, 7 Auto Logon Set Auto Logon Set - Password Class Identifiers Group Memberships \Microsoft\Windows NT\ Current\Winlogon / AutoAdminLogon \Microsoft\Windows NT\Current\ Winlogon / DefaultPassword 1= allow auto logon 0=disabled The value won't exist unless the user set up autologon. If autologon is set, the password must be present in this value in the clear \Classes\CLSID Class identifier information, GUIDs on Applications and processes. \Microsoft\Windows\ Current\Group Policy\ GroupMembership List of groups with which user is associated. N/A XP XP, V XP, V XP, V, 7

22 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Home Group \Microsoft\Windows\ Current\HomeGroup\ SharingPreferences\<sid> ICQ Information Indexed Folders \Mirabilis\ICQ\Owner Stores the User Identification Number (UIN). \Microsoft\Window Search\ CrawlScopeManager\ Windows\ SystemIndex\ WorkingSetRules\<#> Install Date \\Microsoft\Windows NT\ Current Installed Application List Installed Application List Installed Application List Installed Application List Installed Internet Browsers \Microsoft\Windows\ Current\ Uninstall \Wow6432Node\ <appname> \Wow6432Node\Microsoft\ Windows\Current\ SharedDLLs \Microsoft\Windows\ Current\ App Paths\<appname> \Clients\StartMenuInternet \ <appname> Reports the folders currently being indexed for the Search utility. Lists the date the operating system was installed. List of installed applications to use for uninstall. N/A 7 At logon Upon adding a folder. V, 7 List of installed 32-bit applications. N/A 7 List of executables for installed applications. N/A 7 Installed list of applications List of installed Internet browsers. AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 23 Installed Internet Browsers - Default Browser Last Logged on User Last User Logged In \Clients\StartMenuInternet / default \Microsoft\Windows\ Current\Authentication\ LogonUI \\Microsoft\Windows NT\ Current\Winlogon Libraries \Microsoft\Windows Search\Gather\Windows\SystemIndex\ StartPages\<#> Logon Banner Message Logon Banner Message Logon Banner Title \\Microsoft\Windows\ Current\Policies\System\ LegalNoticeText \\Microsoft\Windows\ Current\Policies\System\ LegalNoticeText \\Microsoft\Windows\ Current\Policies\System\ LegalNoticeCaption Default installed Internet browser Displays the user name of the last logged on user, computer name, and date/time of last logon in the key last modified date/time stamp. If the shutdown is normal, the subkey is modified to logoff time. Lists the last user that logged in to the system. This can be local or domain account. Contains the banner that appears at boot time. Users must click through the log-on banner to log on to a system. Contains user-defined data. Contains user-defined data. N/A N/A V, 7 NA Upon creation 7 NA NA NA

24 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Logon Info Default User and Domain Name Logon Info Legal Notices on Bootup Network Cards \\Microsoft\Windows NT\ Current\Winlogon \\Microsoft\Windows NT\ Current\Winlogon \Microsoft\Windows NT\ Current\ NetworkCards\# O\S \\Microsoft\Windows NT\ Current Password Hint XP Passwords Cached Logon Password Maximum Printer Properties for Installed Printers \Microsoft\Windows\ Current\Hints\<username> \Microsoft\Windows NT\ Current\Winlogon \Microsoft\Windows NT\ Current\Print\Printers\ <printername> Product ID \Microsoft\Windows NT\ Current Identifies the default user and the associated domain name. Contains legal notices that appear at boot time. Users must click through the log-on banner to log on to a system. Lists installed network cards. The value can match up to the GUID stored in the file at \ControlSet###\Services\tcp ip\parameters\interfaces\<guid>. Identifies the currently installed OS version and service pack release. NA NA XP Password hint storage location. XP Control of max passwords stored in the cached passwords in SECURITY file. Detailed printer information, including user-entered properties from Control Panel. N/A XP Lists the Windows OS product key. AccessData Supplemental Appendix

9-25-10 2010 AccessData Group, LLC. All Rights Reserved 25 Product Name \\Microsoft\Windows NT\ Current Profile list \\Microsoft\Windows NT\ Current\ProfileList ReadyBoost Attachments Recycle Bin Info - XP Registered Organization Registered Owner Restore Point Information Restricted Access to Removable Media \Microsoft\Windows NT\ Current\ EMDMgmt\<driveid> \Microsoft\Windows\ Current\Explorer\BitBucket\ <driveletter> \\Microsoft\Windows NT\ Current \\Microsoft\Windows NT\ Current \Microsoft\Windows NT\ Current\ SystemRestore \\Microsoft\WindowsNT\ Current\ Winlogon Lists the name of the operating system. Contains the user security identifier for users with a profile on the system. List of attached USB devices for ReadyBoost utility. Windows XP Recycler info by drive letter, Max Capacity in MB, NukeOnDelete 0=Bin being used (default) 1= Bin is being bypassed Identifies the registered organization entered during installation. Note this information may be modified after installation. Identifies the registered owner entered during installation. Note this information may be modified after installation. N/A V, 7 N/A XP System Restore parameters N/A XP Lists allocated CD-ROMS and floppies that are set to 0 (restricted). NA XP

26 2010 AccessData Group, LLC. All Rights Reserved 9-25-10 Run \Microsoft\Windows\ Current\ Run Startup Location Startup Location Startup Software Startup Software System Restore Info Time Synchronizati on with Internet - Servers Turn off UAC Behavior \Microsoft\Command Processor / AutoRun \Microsoft\Windows NT\ Current\Winlogon/Userinit \Microsoft\Windows\ Current\Run \\Microsoft\Windows\ Current\ RunOnce \Microsoft\WindowsNT\ Current\ SystemRestore \Microsoft\Windows\ Current\ DateTime\Servers \Microsoft\Widows\ Current\Policies\System\ ConsentPromptBehaviorAdmin Value Lists programs that run automatically when the system boots. The AutoRun runs any application noted when cmd.exe is run. Applications to start on bootup. Stores the applications automatically launched at boot time. This key is a good place to look for trojans. Stores the applications automatically launched at boot time. This key is a good place to look for trojans. N/A N/A System Restore settings and info V, 7 Turn off the prompts to Continue when running a program needing elevated rights. Turns off Cancel or Allow. 0 is off, 2 is on (Default) V, 7 AccessData Supplemental Appendix