AccessData. Registry Quick Find Chart



Similar documents
ACCESSDATA SUPPLEMENTAL APPENDIX

Forensic Toolkit. Sales and Promotional Summary ACCESSDATA, ON YOUR RADAR

1! Registry. Windows System Artifacts. Understanding the Windows Registry. Organization of the Windows Registry. Windows Registry Viewer

DeployStudio Server Quick Install

Forensically Determining the Presence and Use of Virtual Machines in Windows 7

Chapter 2 - Microsoft Internet Explorer 6

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

User guide. Business

How To Restore An Org Server With Anor Backup For Windows (Oracle)

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Windows Operating Systems. Basic Security

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

Determining VHD s in Windows 7 Dustin Hurlbut

Remote Desktop Solution, (RDS), replacing CITRIX Home Access

Computer Science and Engineering Windows Cisco VPN Client Installation and Setup Guide

Pearl Echo Installation Checklist

Installing the Microsoft Network Driver Interface

ThinPoint Quick Start Guide

Part 3: Accessing Local drives and printers from the Terminal Server

How to install and use the File Sharing Outlook Plugin

DocuShare User Guide

SOA Software API Gateway Appliance 7.1.x Administration Guide

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Using Internet or Windows Explorer to Upload Your Site

FaxCore 2007 Getting Started Guide (v1.0)

TeamViewer 9 Manual Remote Control

User Guide Microsoft Exchange Remote Test Instructions

Installing Windows 95 Drivers and Utilities for the Cisco Aironet 340/350 Series Client Adapters

Integration and Streaming Guide

Remote Desktop access via Faculty Terminal Server Using Internet Explorer (versions 5.x-7.x)

PowerLink for Blackboard Vista and Campus Edition Install Guide

IMAP and SMTP Setup in Clients

Contents First Time Setup... 2 Setting up the Legal Vault Client (KiteDrive)... 3 Setting up the KiteDrive Outlook Plugin Using the Legal Vault

Initial Setup of Microsoft Outlook 2011 with IMAP for OS X Lion

A-AUTO 50 for Windows Setup Guide

TeamViewer 7 Manual Remote Control

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Deployment of Keepit for Windows

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide

Desktop Web Access Single Sign-On Configuration Guide

How to Configure Entourage 2008 for Client

Operating Systems Forensics

READYNAS INSTANT STORAGE. Quick Installation Guide

Thinspace deskcloud. Quick Start Guide

TeamViewer 8 Manual Remote Control

Installing Microsoft Outlook on a Macintosh. This document explains how to download, install and configure Microsoft Outlook on a Macintosh.

Macintosh General Help

Remote Unix Lab Environment (RULE)

FILE TRANSFER PROTOCOL (FTP) SITE

Installation and Configuration of VPN Software

How To Backup Your Computer With A Remote Drive Client On A Pc Or Macbook Or Macintosh (For Macintosh) On A Macbook (For Pc Or Ipa) On An Uniden (For Ipa Or Mac Macbook) On

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Driver Upgrade Instructions

GUARD1 PLUS SE Administrator's Manual

Chapter 2 - Microsoft Internet Explorer 6

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Computer Science and Engineering MacOS Cisco VPN Client Installation and Setup Guide

The following features have been added to FTK with this release:

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Setting Up . on Your Touch by HTC

Safe internet for business use: Getting Started Guide

School Mail System. - Access through Office 365 Exchange Online. User Guide FOR. Education Bureau (EDB)

Table of Contents. CHAPTER 1 About This Guide CHAPTER 2 Introduction CHAPTER 3 Database Backup and Restoration... 15

Setting Up . on Your Sprint Power Vision SM Mogul by HTC

Citrix Online, div. of Citrix Systems Inc. GoToAssist TM. Product Category: Knowledge Management/eSupport Validation Date: 2/22/2005

Install and Configure RelayFax

TANDBERG MANAGEMENT SUITE 10.0

For Windows XP 64 bit

How to install the RTL8029 PCI Adapter Boot Rom for Windows95

FTP Use. Internal NPS FTP site instructions using Internet Explorer:

Finance & Information Management Network Operations

Virtual Office Remote Installation Guide

Setting Up the Device and Domain Administration

KM-1820 FS-1118MFP. Network Scanner Setup Guide

Iomega Home Media Network Hard Drive

System Security Policy Management: Advanced Audit Tasks

AXIS 70U - Using Scan-to-File

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

Fax User Guide 07/31/2014 USER GUIDE

How to use SURA in three simple steps:

AT&T Global Network Client v6.8.0 and Passport IP Setup Instructions for Broadband VPN Access

AdminToys Suite. Installation & Setup Guide

SQL Server 2008 R2 Express Edition Installation Guide

Enterprise Server Setup Guide

Acronis Backup & Recovery 11.5 Quick Start Guide

Yale Software Library

LT Auditor+ for Windows

Accessing the Media General SSL VPN

Remote Access to Niagara Wheatfield s Computer Network

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

TicketStation User Manual

Citrix Shared Desktop

TOSHIBA GA Printing from Windows

NetBak Replicator 4.0 User Manual Version 1.0

4cast Client Specification and Installation

Bosch ReadykeyPRO Unlimited Installation Guide, product version 6.5. This guide is item number DOC , revision 2.029, May 2012.

10 Step 2 System Service Setup. 11 Step 3 RelayFax Server Setup. 11 Step 4 Company Name and CSID String. 12 Step 5 Fax and Voice Number

Transcription:

AccessData Registry Quick Find Chart

Registry Quick Find Chart This appendix reviews common locations in the Windows and Windows Internet-related registries where you can find data of forensic interest. AOL Instant Messenger on page 2 ICQ on page 3 Internet Explorer on page 3 MSN Messenger on page 4 Outlook and Outlook Express on page 5 Windows Messenger on page 5 Yahoo Messenger on page 6 System Information on page 7 Networking on page 9 User Data on page 10 User Application Data on page 13 1987-2005 AccessData Corporation. All Rights Reserved. 1

AOL INSTANT MESSENGER Away Messages \Software\America Online\ AOL Instant Messenger(TM)\ CurrentVersion\Users\screen name\ IAmGoneList Shows default and customized Away messages. File Transfers & Sharing \Software\America Online\ AOL Instant Messenger(TM)\ CurrentVersion\Users\screen name\ Xfer Shows settings for file transfers and sharing. Last User \Software\America Online\ AOL Instant Messenger (TM)\ CurrentVersion\Login - Screen Name Profile Info \Software\America Online\ AOL Instant Messenger(TM)\ CurrentVersion\Users\screen name\ DirEntry Shows the screen name of the last logged-in user. Shows user profile information (optional). At login Recent Contacts Software\America Online\ AOL Instant Messenger\ CurrentVersion\users\username\ recent IM ScreenNames Shows a list of recently contacted buddies. When the application closes. Registered Users \Software\America Online\ AOL Instant Messenger (TM)\ CurrentVersion\Users Shows registered AIM users on the machine. At sign-on Saved Buddy List \Software\America Online\ AOL Instant Messenger(TM)\ CurrentVersion\Users\username\ ConfigTransport Shows the directory path of a saved Buddy List, a BLT file. 2 1987-2005 AccessData Corporation. All Rights Reserved.

ICQ ICQ \Software\Mirabilis\ICQ\* Lists IM contacts, file transfer information, etc. ICQ Information \Software\Mirabilis\ICQ\Owner Stores the User Identification Number (UIN). At logon Last User \Software\Mirabilis\ICQ\ Owners - LastOwner Nickname \Software\Mirabilis\ICQ\ Owners\UIN - Name Shows the last logged-in user. Nickname of user (optional value). At login At login Registered Users \Software\Mirabilis\ICQ\ Owners\UIN UIN folder is named for the user. At login INTERNET EXPLORER IE Auto Logon and password Protected Storage System Provider\ SID\Internet Explorer\ Internet Explorer - URL: StringData Stores IE auto logon IDs and passwords with date and time stamp. IE Search Terms \Software\Miscrosoft\ Protected Storage System Provider\SID\Internet Explorer\ Internet Explorer - q:stringindex Stores IE search terms with date and time stamp. IE Settings Internet Explorer\ Main Stores IE settings such as start page, save directory, home page, and download location. IE URL History Days Saved Windows\ CurrentVersion\Internet Settings\ URL History - DaysToKeep The number of days the system stores URLs visited in IE. The default is 20 days. 1987-2005 AccessData Corporation. All Rights Reserved. 3

Typed URLs Internet Explorer\ Typed URLs Stores data entered into the URL address bar. When the application closes Web Form Data Protected Storage System Provider\ SID\Internet Explorer\ Internet Explorer - q:stringindex Stores form data provided within IE. IE Auto Complete Passwords Internet Explorer\IntelliForms Stores Web page auto complete passwords. These are encrypted values. IE Auto Complete Web Addresses Protected Storage System Provider Lists web pages wherein autocomplete was utilized. IE Default Download Directory Internet Explorer default download directory when utilizing Internet Explorer. MSN MESSENGER MSN Messenger \Software\Microsoft MessengerService\ ListCache\.NET MessngerService\* Contains IM groups, contacts, file transfer information, etc. for MSN Messenger. Most on signoff; however, FTReceive is immediate File Sharing MSNMessenger\ FileSharing - Autoshare Shows if file sharing is turned on. File Transfers MSNMessenger\ - FTReceiveFolder Shows the location of the Received Files folder. Logging Enabled MSNMessenger\ PerPass portsettings\##########\ - MessageLoggingEnabled Shown if message logging is turned on. 4 1987-2005 AccessData Corporation. All Rights Reserved.

Message History MSNMessenger\ PerPass portsettings\##########\ - MessageLog Path Shows the location of message history files. Saved Contact List Messenger Service - ContactListPath Shows the location of a saved Contact List (CTT) file. OUTLOOK AND OUTLOOK EXPRESS Account Passwords Protected Storage SystemProvider\SID\ Identification\ INETCOMM Server Passwords Stores Outlook and Outlook Express account passwords. Outlook Temporary Attachment Directory Office\version\ Outlook\Security location where attachments are stored when they are opened from Outlook. WINDOWS MESSENGER Contact List MessengerService\ListCache\.NET Messenger Service Contains Contact, Allow, Block, and Reverse entries. At sign-off File Transfers Messenger Service - FtReceiveFolder Shows the location of the Received Files folder. Last User MessengerService\ListCache\.NET Messenger Service - IdentityName Screen name of last logged-in user. At sign-off 1987-2005 AccessData Corporation. All Rights Reserved. 5

YAHOO MESSENGER Chat Rooms \Software\Yahoo\Pager\profiles\ screen name\chat Shows information for chat rooms visited or created. File Transfers \Software\Yahoo\Pager\ File Transfer (global value) Shows number of transfers in and out. File Transfers Software\Yahoo\Pager\profiles\ screen name\filetransfer (user specific) Shows settings for file transfers. Identities \Software\Yahoo\Pager\profiles\ screen name - All Identities, Selected Identities Shows alternate user identities. Unknown IMVs MRU list Software\Yahoo\Pager\profiles\ screen name\imvironments (userspecific value) Shows usage of IMVironments. IMV Usage \Software\Yahoo\Pager\ IMVironments (global value) Shows usage of IMVironments. Last User \Software\Yahoo\ Pager - Yahoo! User ID Last logged-in user. Message Archiving \Software\Yahoo\Pager\profiles\ screen name\archive Shows settings for message archiving. Password \Software\Yahoo\ Pager - EOptions string Encrypted password. Recent Contacts Software\Yahoo\Pager\profiles\ screen name\imvironments\recent Shows recent contacts and which IMV was used. Saved Password \Software\Yahoo\ Pager - Save Password Shows if the password is saved. Screen Names \Software\Yahoo\Pager\profiles\ screen name Shows registered screen names and identities. Yserver \Software\Yahoo\Yserver Points to a directory location for file transfer information. 6 1987-2005 AccessData Corporation. All Rights Reserved.

SYSTEM INFORMATION Computer Name SYSTEM \ControlSet###\Control\ ComputerName\ComputerName computer s name defined in System Properties. Current Control Set Current Control Set SYSTEM \Select Identifies which control set is current. SYSTEM \Select\Current Contains information about the system s configuration settings. Dynamic Disk SYSTEM \ControlSetXXX\Services\DMIO\ Boot Info\Primary Disk Group most recent dynamic disk mounted in the system. Event Logs SYSTEM \ControlSetXXX\Services\ Eventlog Install Date \Microsoft\Windows NT\ CurrentVersion location of Event logs. Lists the date the operating system was installed. Last User Logged In \Microsoft\Windows NT\ CurrentVersion\Winlogon Lists the last user that logged in to the system. This can be local or domain account. Logon Banner Message \Microsoft\Windows\ CurrentVersion\Policies\ System\LegalNoticeText Contains the banner that appear at boot time. Users must click through the logon banner to logon to a system. Logon Banner Message \Microsoft\Windows\ CurrentVersion\Policies\ System\LegalNoticeText Contains userdefined data. Logon Banner Title \Microsoft\Windows\ CurrentVersion\Policies\ System\LegalNoticeCaption Contains userdefined data. 1987-2005 AccessData Corporation. All Rights Reserved. 7

Logon Info Default User and Domain Name \Microsoft\Windows NT\CurrentVersion\ Winlogon default user and the associated domain name. Logon Info Legal Notices on Bootup \Microsoft\Windows NT\ CurrentVersion\Winlogon Contains legal notices that appear at boot time. Users must click through the logon banner to logon to a system. Mounted Devices SYSTEM \MountedDevices Lists current and prior mounted devices that use a drive letter. O\S Version \Microsoft\Windows NT\CurrentVersion Pagefile SYSTEM \ControlSetXXX\Control\ Session Manager\Memory Management currently installed OS version and Service Pack release. Contains the page file settings such as location, size, set to wipe, etc. View updates immediately; however, not effective until reboot PDA Information SYSTEM \ControlSet###\Enum\USB Contains PDA information. Product ID \Microsoft\Windows NT\CurrentVersion Lists the Windows OS product key. Product Name \Microsoft\Windows NT\CurrentVersion Lists the name of the operating system. Registered Organization \Microsoft\Windows NT\CurrentVersion registered organization entered during installation. Note this information may be modified after installation. 8 1987-2005 AccessData Corporation. All Rights Reserved.

Registered Owner \Microsoft\Windows NT\CurrentVersion registered owner entered during installation. Note this information may be modified after installation. Restricted Access to Removable Media \Microsoft\WindowsNT\ CurrentVersion\ Winlogon Lists allocated CD- ROMS and floppies that are set to 0 (restricted). Run \Microsoft\Windows\ CurrentVersion\Run Lists programs that run automatically when the system boots. Shutdown Time SYSTEM \ControlSetXXX\Control\ Windows Lists the system shutdown time. Time Zone SYSTEM \ControlSet001(or002)\ Control\TimeZoneInformation\St andardname time zone entered during installation. Note this information may be modified after installation. USB Devices SYSTEM \Enum\USBSTOR Lists the system s USB devices. NETWORKING Local Groups SAM \Domains\Builtin\Aliases\Names Lists local account security identifiers. Local Users SAM \Domains\Account\Users\Names Lists local account security identifiers. Map Network Drive MRU Windows\ CurrentVersion\Explorer\Map Network Drive MRU Contains a most recently used list of mapped network drives. Printers Currently Defined SYSTEM \ControlSet###\Control\Print\ Printers Lists all printers that are configured on the current system. 1987-2005 AccessData Corporation. All Rights Reserved. 9

Printer Default WindowsNT\ CurrentVersion\Windows current default printer. \printers current default printer. On shutdown Printer Information SYSTEM \ControlSet###\Control\Print\ Environments\WindowsNTx86\ Drivers\Version Contains information about the current printer. Profile list \Microsoft\Windows NT\ CurrentVersion\ProfileList TCP\IP data SYSTEM \ControlSetXXX\Services\TCPIP\ Parameters Contains the user security identifier for users with a profile on the system. Lists the current system s domain and hostname data. TCP\IP Settings of a Network Adapter SYSTEM \ControlSetXXX\Services\ adapter\ Parameters\TCPIP Lists the current system s IP address and gateway information. USER DATA EFS Software\Microsoft\WindowsNT\ CurrentVersion\EFS\CurrentKeys Lists the current user s certificate thumbprint. (Each user has a unique certificate thumbprint.) The same certificate thumbprint is contained in the $EFS alternate data stream for every EFS file encrypted by the current user. 10 1987-2005 AccessData Corporation. All Rights Reserved.

Event Log Restrictions SYSTEM \ControlSet###\Services\EventLog \ Application Identifies who can read your event logs. A value of 1 restricts access; 0 permits access for guest and mull users. SECURITY \ControlSet###\Services\EventLog \ Application Identifies who can read your event logs. A value of 1 restricts access; 0 permits access for guest and mull users. File Extensions\ Program Association Windows\ CurrentVersion\Explorer\FileExts Identifies associated programs with file extensions. Last Logon Time SAM \SAM\Domains\Account\Users\ F Key Bytes 9 16 store the last logon time. Last Time Password Changed SAM \SAM\Domains\Account\Users\ F Key Bytes 25-32 store the last time the password was changed. Account Expiration SAM \SAM\Domains\Account\Users\ F Key Bytes 33-40 store the account expiration. If no expiration is set, FF FF FF FF will show. Last Failed Login SAM \SAM\Domains\Account\Users\ F Key Bytes 41-48 store the last unsuccessful logon. MRU Last Visited Windows\ CurrentVersion\Explorer\ComDlg 32\ Lists the application and filename of the most recent files opened in Windows. MRU Open Saved Windows\ CurrentVersion\Explorer\ ComDlg32\OpenSaveMRU Lists the filename and path of the most recent files saved or copied to a specific location in Windows. 1987-2005 AccessData Corporation. All Rights Reserved. 11

MRU Recent Documents Windows\ CurrentVersion\Explorer\ RecentDocs\ documents in the Recent Documents list available from the Windows Start menu. MRU Run MRU Windows\ CurrentVersion\Explorer\RunMR U Lists the most recent commands entered in the Windows Run box. POP3 Passwords Internet Account Manager \Accounts\0000000# Stores the user s POP3 passwords. # is a digit identifying that particular account. Run Windows\ CurrentVersion\Run Lists programs that run automatically when the user logs on. Screen Savers and wallpaper \Control Panel\Desktop\ system s screen saver and wallpaper. Theme Current Theme Windows\ CurrentVersion\Themes desktop theme and wallpaper. Unknown Theme Last Theme Windows\ CurrentVersion\Themes\Last Theme desktop theme and wallpaper. Converted Wallpaper Converted Wallpaper \Control Panel\Desktop Identifies converted graphic to wallpaper \Control Panel\Desktop Identifies date and time of converted wallpaper 12 1987-2005 AccessData Corporation. All Rights Reserved.

User Name and SID SAM \SAM\Domains\Account\Users\ V Key Contains the user name and SID in Hex. You must convert the last three hex numbers to decimal to determine the decimal version of the SID that is used in the Recycler and System Volume Information folder. \Microsoft\WindowsNT\ CurrentVersion\ ProfileList\ Contains the user name and SID in Hex. You must convert the last three hex numbers to decimal to determine the decimal version of the SID that is used in the Recycler and System Volume Information folder. USER APPLICATION DATA Adobe \Software\Adobe\* Lists Adobe products such as Acrobat and FrameMaker. AIM \Software\America Online\AOL InstantMessenger\CurrentVersion \ Users\ username Lists IM contacts, file transfer information, etc. Google Client History \Software\Google\NavClient\1.1\ History Contains a list of search terms with date and time stamps if Google is included in the Internet Explorer task bar. 1987-2005 AccessData Corporation. All Rights Reserved. 13

Individual Application Information \Software\%Application Name% This class of registry keys contains the information each application stores in the registry. Kazaa \Software\Kazaa\* Stores configuration, search, download, IM data, etc. for Kazaa. Media Player Recent List MediaPlayer\ Player\ RecentFileList Contains the user's most recently used list for Windows Media Player. Startup Software Windows\CurrentVersion\ Run Stores the applications automatically launched at boot time. This key is a good place to look for Trojans. Windows\CurrentVersion\ RunOnce Stores the applications automatically launched at boot time. This key is a good place to look for Trojans. \Microsoft\Windows\ CurrentVersion\Run Stores the applications automatically launched at boot time. This key is a good place to look for Trojans. \Microsoft\Windows\ CurrentVersion\RunOnce Stores the applications automatically launched at boot time. This key is a good place to look for Trojans. 14 1987-2005 AccessData Corporation. All Rights Reserved.

WinZip Information \Software\Nico Mak Computing\FileMenu Stores the list of files extracted from WinZip archives. \Nico Mak Computing Contains WinZip information. Word Recent Docs office\version\ Common\Open Find\Microsoft Office\Word\Settings\Save As\File Name MRU Microsoft Word recent documents in the value value. Unknown Word User Info office\version\ Common\UserInfo user information entered when installing Microsoft Office. Note this information may be modified after installation. Unknown Access Recent Databases office\version\ Common\Open Find\Microsoft Office Access\Settings\File New Database\File Name MRU Microsoft Access recent databases in the value value. Excel Recent Spreadsheets office\version\ Common\Open Find\Microsoft Office Excel\Settings\Save As\File Name MRU Microsoft Excel recent spreadsheets in the value value. Outlook Recent Attachments office\version\ Common\Open Find\Microsoft Office Outlook\Settings\Save Attachment\File Name MRU Microsoft Outlook recent documents PowerPoint Recent PPT s office\version\ Common\Open Find\Microsoft Office PowerPoint\Settings\Save As\File Name MRU Microsoft PowerPoint recent documents Unknown Publisher Recent Documents office\version\ Common\Open Find\Microsoft Office Publisher\Settings\Save As\File Name MRU Microsoft Publisher recent documents Unknown Yahoo \Software\Yahoo\Pager\ Profiles\* Stores IM contacts, file transfer information, etc. for Yahoo. 1987-2005 AccessData Corporation. All Rights Reserved. 15

File Extension Associations Windows\CurrentVersion\ Explorer\FileExts\.EXT Type Lists file extension associations and files that have been opened with the Open With command. User Assist Windows\CurrentVersion\ Explorer\UserAssist ShellBags Windows\Shell\BagMRU Windows history logged with path and time stamp information Pointers to link history and other file/folder information 16 1987-2005 AccessData Corporation. All Rights Reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information