![]() We also have file paths and we have the last access date and time and we have a launch count how many times the program was launched. Now when we highlight the sub key, we can see the information populated on the right hand side of the pen ,we have the program GUIDs. So we're going to expand it, expand the route, we're going to expand software, we're going to expand Microsoft, we're going to expand Windows ,current version search and expand search and we see our recent apps sub key. Once we've loaded the hive, we're going to navigate to the key that we're looking for. Dat file and click open and load the hive. So let's take a look, let's bring up registry explorer and if you haven't already done so please go ahead to file, load hive, navigate out to where you saved that into user. Dat HI file that we exported from our virtual machine images. The items we will be using in this section are going to be registered explorer, decode and the Ivan NT user. We will see GUID instead of the route 13 and each of these sub key, GUID will correspond to an application and this is going to show us applications and files that were executed through that specific application. ![]() This also tracks recently used applications similar to user assist, but this key goes a little deeper as we're going to take a look at shortly. In this section, we're going to take a look at the recent apps sub key. ![]() We also took a look at user assist program execution by a specific user. ![]() We took a look at the type URLs subkey for Internet Explorer, URLs typed in or completed by the auto complete or the drop down box. What we've covered so far in course 3, a quick review, we've covered the recent docs sub key and we took a look at the most recently used the MRU lists and how we read those, how those are interpreted. And in this section we're going to be covering recent applications, recent apps which is a sub key in the NT user. Back to Windows registry forensics, course 3 we are covering the NT user.dat registry file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |