Scribd
Upload
79 views14 pages

Appendix N 42

Uploaded by

Dany Romero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views14 pages

Appendix N 42

Uploaded by

Dany Romero
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Cyber Forensics: A Field Manual for Collecting,

Examining, and Preserving Evidence of Computer


Crimes, Second Edition
by Albert J. Marcella, Jr. and Doug Menendez
Taylor & Francis Group, LLC. (c) 2008. Copying Prohibited.

Reprinted for Dany Romero Sanzonetty, ISACA


[email protected]

Reprinted with permission as a subscription benefit of Books24x7,


http://www.books24x7.com/

All rights reserved. Reproduction and/or distribution in whole or in part in


electronic,paper or other forms without written permission is prohibited.
i

Table of Contents
Appendix N: Locating Forensic Data in Windows Registries.....................................................1
Appendix N: Locating Forensic Data in Windows
Registries

Information File Location

AOL Instant Messenger


Away Messages NTUSER.DAT \Software\America Online\AOL Instant
Messenger™\CurrentVersion\Users\screen name\IAmGoneList

File Transfers and NTUSER.DAT \Software\America Online\AOL Instant


Sharing Messenger™\CurrentVersion\Users\screen name\Xfer

Last User NTUSER.DAT \Software\America Online\AOL Instant Messenger™\CurrentVersion\lo


screen name

Profile Info NTUSER.DAT \Software\America Online\AOL Instant


Messenger™\CurrentVersion\Users\screen name\DirEntry

Recent Contacts NTUSER.DAT Software\America Online\AOL Instant


Messenger\CurrentVersion\users\username\recent IM ScreenNames

Registered Users NTUSER.DAT \Software\America Online\AOL Instant Messenger™\CurrentVersion\Us

Saved Buddy List NTUSER.DAT \Software\America Online\AOL Instant


Messenger™\CurrentVersion\Users\username\ConfigTransport

ICQ
ICQ NTUSER.DAT \Software\Mirabilis\ICQ\*

ICQ Information SOFTWARE \Software\Mirabilis\ICQ\Owner

Last User NTUSER.DAT \Software\Mirabilis\ICQ\Owners—LastOwner

Nickname NTUSER.DAT \Software\Mirabilis\ICQ\Owners\UIN—Name

Registered Users NTUSER.DAT \Software\Mirabilis\ICQ\Owners\UIN

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 2

Internet Explorer
IE Auto Logon and NTUSER.DAT \Software\Microsoft\Protected Storage System Provider\SID\Internet
Password Explorer\Internet Explorer—URL: StringData

IE Search Terms NTUSER.DAT \Software\Miscrosoft\Protected Storage System Provider\SID\Internet


Explorer\Internet Explorer—q:StringIndex

IE Settings NTUSER.DAT \Software\Microsoft\Internet Explorer\Main

IE URL NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Internet Settings\URL


History—Days History—DaysToKeep
Saved

Typed URLs NTUSER.DAT \Software\Microsoft\Internet Explorer\Typed URLs

Web Form Data NTUSER.DAT \Software\Microsoft\Protected Storage System Provider\SID\Internet


Explorer\Internet Explorer—q:StringIndex

IE Auto-Complete NTUSER.DAT \Software\Microsoft\Internet Explorer\IntelliForms


Passwords

IE Auto—Complete NTUSER.DAT \Software\Microsoft\Protected Storage System Provider


Web Addresses

IE Default Download NTUSER.DAT \Software\Microsoft\Internet Explorer


Directory

MSN Messenger
MSN Messenger NTUSER.DAT \Software\Microsoft MessengerService\ListCache\.NET MessngerServi

File Sharing NTUSER.DAT \Software\Microsoft\MSNMessenger\FileSharing—Autoshare

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 3

File Transfers NTUSER.DAT \Software\Microsoft\MSNMessenger\—FTReceiveFolder

Logging Enabled NTUSER.DAT \Software\Microsoft\MSNMessenger\PerPass


portSettings\#######\—MessageLogging Enabled

Message History NTUSER.DAT MSNMessenger\PerPass portSettings\######\—MessageLog Path

Saved Contact List NTUSER.DAT \Software\Microsoft\Messenger Service—ContactListPath

Outlook and Outlook Express


Passwords NTUSER.DAT \Software\Microsoft\Protected Storage
SystemProvider\SID\Identification\INETCOMM Server Passwords

Outlook Temporary NTUSER.DAT \Software\Microsoft\Office\version\Outlook\Security


Attachment
Directory

Window Messenger
Contact List NTUSER.DAT \Software\Microsoft\MessengerService\ ListCache\.NET Messenger Se

File Transfers NTUSER.DAT \Software\Microsoft\Messenger Service—FtReceiveFolder

Last User NTUSER.DAT \Software\Microsoft\MessengerService\ListCache\.NET Messenger


Service—IdentityName

YAHOO Messenger
Chat Rooms NTUSER.DAT \Software\Yahoo\Pager\profiles\screen name\Chat

File Transfers NTUSER.DAT \Software\Yahoo\Pager\File Transfer (global value)

File Transfers NTUSER.DAT Software\Yahoo\Pager\profiles\screen name\FileTransfer (user specific

Identities NTUSER.DAT \Software\Yahoo\Pager\profiles\screen name—All Identities, Selected I

IMVs MRU List NTUSER.DAT Software\Yahoo\Pager\profiles\screen name\IMVironments (user-speci


Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 4

IMV Usage NTUSER.DAT \Software\Yahoo\Pager\IMVironments (global value)

Last User NTUSER.DAT \Software\Yahoo\Pager—Yahoo! User ID

Message Archiving NTUSER.DAT \Software\Yahoo\Pager\profiles\screen name\Archive

Password NTUSER.DAT \Software\Yahoo\Pager—EOptions string

Recent Contacts NTUSER.DAT Software\Yahoo\Pager\profiles\screen name\IMVironments\Recent

Saved Password NTUSER.DAT \Software\Yahoo\Pager—Save Password

Screen Names NTUSER.DAT \Software\Yahoo\Pager\profiles\screen name

Yserver NTUSER.DAT \Software\Yahoo\Yserver

System Information
Computer Name SYSTEM \ControlSet###\Control\ComputerName\ComputerName

Current Control Set SYSTEM \Select

Current Control Set SYSTEM \Select\Current

Dynamic Disk SYSTEM \ControlSetXXX\Services\DMIO\Boot Info\Primary Disk Group

Event Logs SYSTEM \ControlSetXXX\Services\Eventlog

Install Date SOFTWARE \Microsoft\Windows NT\CurrentVersion

Last User Logged In SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 5

Logon Banner SOFTWARE \Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText


Message

Logon Banner SOFTWARE \Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText


Message

Logon Banner Title SOFTWARE \Microsoft\Windows\CurrentVersion\Policies\System\Legal Notice Capt

Logon Info—Default SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon


User and Domain
Name

Logon Info—Legal SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon


Notices on Bootup

Mounted Devices SYSTEM \MountedDevices

O\S Version SOFTWARE \Microsoft\Windows NTXCurrentVersion

Pagefile SYSTEM \ControlSetXXX\Control\Session ManagerXMemory Management

PDA Information SYSTEM \ControlSet###\Enum\USB

Product ID SOFTWARE \Microsoft\Windows NTXCurrentVersion

Product Name SOFTWARE \Microsoft\Windows NTXCurrentVersion

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 6

Registered SOFTWARE \Microsoft\Windows NTXCurrentVersion


Organization

Registered Owner SOFTWARE \Microsoft\Windows NTXCurrentVersion

Restricted Access to SOFTWARE \Microsoft\WindowsNT\CurrentVersion\Winlogon


Removable Media

Run SOFTWARE \Microsoft\Windows\CurrentVersion\Run

Shutdown Time SYSTEM \ControlSetXXX\Control\Windows

Time Zone SYSTEM \ControlSet001(or002)\Control\TimeZonelnformationXStandardName

USB Devices SYSTEM \Enum\USBSTOR

Networking
Local Croups SAM \Domains\Builtin\Aliases\Names

Local Users SAM \Domains\Account\Users\Names

Map Network Drive NTUSER.DT \Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Dr


MRU

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 7

Printers—Currently SYSTEM \ControlSet###\Control\Print\Printers


Defined

Printer—Default NTUSER.DAT \Software\Microsoft\WindowsNT\CurrentVersion\Windows

NTUSER.DAT \printers

Printer Information SYSTEM \ControlSet###\Control\Print\Environ ments\WindowsNTx86\DriversWe

Profile List SOFTWARE \Microsoft\Windows NT\CurrentVersion\ProfileList

TCPMPData SYSTEM \ControlSetXXX\Services\TCPIP\Parameters

TCPMP Settings of SYSTEM \ControlSetXXX\Services\adapter\ParametersVTCPIP


a Network Adapter

User Data
EPS NTUSER.DAT Software\Microsoft\WindowsNT\CurrentVersion\EFS\CurrentKeys

Event Log SYSTEM \ControlSet###\Services\EventLog\Application


Restrictions

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 8

SECURITY \Cont rolSet###\Services\EventLog\Application

File ExtensionsX NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts


Program Association

Last Logon Time SAM \SAM\Domains\Account\Users\F Key

Last Time Password SAM \SAM\Domains\Account\Users\F Key


Changed

Account Expiration SAM \SAM\Domains\Account\Users\F Key

Last Failed Login SAM \SAM\Domains\Account\Users\F Key

MRU—Last Visited NTUSER.DT \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg 32\

MRU—Open Saved NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\Open

MRU—Recent NTUSER.DAT \Software\Microsoft\Windows\CurrentVersionXExplorer RecentDocs\


Documents

MRU—RunMRU NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Explorer\RunMR U

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 9

POP3 Passwords NTUSER.DAT \Software\Microsoft\lnternetAccount Manager\Accounts\0000000#

Run NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Run

Screen Savers and NTUSER.DAT \Control Panel\Desktop\


Wallpaper

Theme—Current NTUSER.DAT \Software\Microsoft\Windows\CurrentVersionVThemes


Theme

Theme—Last NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Themes\Last Theme


Theme

Converted NTUSER.DAT \Control Panel\Desktop


Wallpaper

Converted NTUSER.DAT \Control Panel\Desktop


Wallpaper

User Name and SID SAM \SAM\Domains\Account\Users\VKey

SOFTWARE \Microsoft\WindowsNT\CurrentVersion\ProfileList\

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 10

User Application Data


Adobe NTUSER.DAT \Software\Adobe\*

AIM NTUSER.DAT \Software\America Online\AOL


lnstantMessenger\CurrentVersion\Users\username

Coogle Client NTUSER.DAT \Software\Google\NavClient\1.1\History


History

Individual NTUSER.DAT \Software\%Application Name%


Application
Information

Kazaa NTUSER.DAT \Software\Kazaa\*

Media Player Recent NTUSER.DAT \Software\Microsoft\MediaPlayer\Player\RecentFileList


List

Startup Software NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Run

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 11

NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE \Microsoft\Windows\CurrentVersion\Run

SOFTWARE \Microsoft\Windows\CurrentVersion\RunOnce

WinZip Information NTUSER.DAT \Software\Nico Mak Computing\FileMenu

SOFTWARE \Nico Mak Computing

Word—Recent Docs NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft


Office\Word\Settings\Save As\File Name MRU

Word—User Info NTUSER.DAT \Software\Microsoft\office\version\Common\UserInfo

Access—Recent NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft Office


Databases Access\Settings\File New Database\File Name MRU

Excel—Recent NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft Office


Spreadsheets Excel\Settings\Save As\File Name MRU

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited
Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Second Edition 12

Outlook—Recent NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft


Attachments

Office Outlook\Settings\Save Attachment\File Name MRU


PowerPoint—Recent NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft Office
PPT's PowerPoint\Settings\Save As\File Name MRU

Publisher—Recent NTUSER.DAT \Software\Microsoft\office\version\Common\Open Find\Microsoft Office


Documents Publisher\Settings\Save As\File Name MRU

Yahoo NTUSER.DAT \Software\Yahoo\Pager\Profiles\*

File Extension NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.EXT Ty


Associations

User Assist NTUSER.DAT \Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

ShellBags NTUSER.DAT \Software\Microsoft\Windows\Shell\Bag MRU

Registry Quick Find Chart (2005), AccessData Corporation.


www.accessdata.com/media/en_US/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf, All Rights Rese
permission.

Reprinted for isaca537453, ISACA CRC Press, Taylor & Francis Group, LLC (c) 2008, Copying Prohibited

You might also like