When I began writing the second edition of WFA, I specifically included a chapter on just “case studies,” in hopes of demonstrating how I and others have used various data sources from a Windows system, in incident response and forensic analysis scenarios, to gather information and build an overall picture to solve the challenges we were facing. In fact, after writing the first edition of Windows Forensic Analysis (Syngress Publishing, published in 2007, a.k.a., WFA), it was pretty clear to me that listing Registry keys and files wasn't as effective as providing examples of Registry analysis, and of how all of these could be used together. When I sat down to write this book, I was aware that for most folks, providing spreadsheets, tables, and lists of Registry keys and values would not be an entirely effective means of communicating and sharing information about Registry analysis. Harlan Carvey, in Windows Registry Forensics, 2011 Introduction WhatInStartup: (supersedes currently available but obsolete tool, StartupRun (Strun), ). Some of the more commonly used tools for discovering these artifacts include: The number and variety of auto-start locations on the Windows operating system have led to the development of tools for automatically displaying programs that are configured to start automatically when the computer boots. References to malware may be found in these auto-starting locations as a persistence mechanism, increasing the longevity of a hostile program on an infected computer. These auto-starting locations exist in particular folders, Registry keys, system files, and other areas of the operating system. When a system is rebooted, there are a number of places that the Windows operating system uses to automatically start programs. The value of the Registry key LastWrite times, as well as time stamps recorded within the data of various values, will be discussed through case studies in this chapter, and are also discussed in Chapter 7.Īnother aspect of Registry monitoring the digital investigator should consider is “auto-starting” artifacts. This is an important distinction, as Registry values do not have LastWrite times however, some Registry values may contain time stamps within their data that refer to some other function or action having occurred.
This can include the key being created (creation or deletion being the extreme form of modification), or subkeys or values within the key being added, deleted, or modified. This is a 64-bit FILETIME (a description of the FILETIME object can be found at ) time stamp that refers to the last time the key was modified in some way. For example, Registry keys (the folders visible in the left pane in Figure 5.1) contain subkeys and values, and also have a property referred to as the LastWrite time. It is important for analysts to understand the differences between these various objects, as they have different properties associated with them. Registry viewed via “RegEdit.exe.”Īs you can see in Figure 5.1, the Registry is made up of keys, values, and value data. Autopsy offers the same core features as other digital forensics tools and offers other essential features, such as web artifact analysis and registry analysis, that other commercial tools do not provide.Figure 5.1. As budgets are decreasing, cost effective digital forensics solutions are essential. See the fast results page for more details. It may take hours to fully search the drive, but you will know in minutes if your keywords were found in the user's home folder. Autopsy runs background tasks in parallel using multiple cores and provides results to you as soon as they are found. Developers should refer to the module development page for details on building modules. Indicators of Compromise - Scan a computer using STIX.Multimedia - Extract EXIF from pictures and watch videos.Data Carving - Recover deleted files from unallocated space using PhotoRec.Web Artifacts - Extract history, bookmarks, and cookies from Firefox, Chrome, and IE.Keyword Search - Indexed keyword search to find files that mention relevant terms.Hash Filtering - Flag known bad files and ignore known good.Timeline Analysis - Advanced graphical event viewing interface (video tutorial included).ExtensibleĪutopsy was designed to be an end-to-end platform with modules that come with it out of the box and others that are available from third-parties. Installation is easy and wizards guide you through every step. Autopsy was designed to be intuitive out of the box.