When the administrator or Forensics expects opens Regedit.exe, he sees a tree-like structure with five root folders, or “hives”. HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system. HKEY_CURRENT_USER − loaded user profile for the currently logged-on-user. HKEY_LOCAL_MACHINE−contains a vast configuration information for the system, including hardware settings and software settings. HKEY_USERS− contains all the actively loaded user profile for that system Recentapps registry forensics software# HKEY_CURRENT_CONFIG−contains the hardware profile the system uses at startup. Suppose your computer lies in the hand of a malicious person without your consent. ![]() You can track his activity through inspecting the registry as follows − Then how can you determine, what exactly he would have done to your computer. It contains with the information provided from the RunMRU key, an examiner can gain better understanding fo the user they are investigating and the application that is being used. ![]() This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system.Īttached Hardware List − ( HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices.) (HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Enum\USBSTOR.) In this above figure, you can see the user has opened cmd, Notepad, MSPaint etc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |