Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 10152146 시스템 포렌식 실습.

Published byPiers White Modified over 8 years ago

Similar presentations

Presentation on theme: "FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 10152146 시스템 포렌식 실습."— Presentation transcript:

1 FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 10152146 시스템 포렌식 실습

2 Windows Registry the system such as the settings configuration of the system 시스템 포렌식 실습

3 The computer name is available in the following registry sub key: HKEY_LOCAL_MACHINE\SYSTEM\Currentcontrolset\ Control\ComputerName\ComputerName HKEY_LOCAL_MACHINE is hive connected to Keys - SYSTEM is Keys - Currentcontrolset is SubKeys - Control is SubKeys - ComputerNameis SubKeys - ComputerName is value that store data ; 시스템 포렌식 실습

4 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralPro cessor\0 HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralPro cessor\1 This information includes the processor name, its speed and vendor identifier. We can know name of processor of this computer ; Intel® Core™ i3 – 5005U CPU @ 2.00GHz 시스템 포렌식 실습

5 This key maintains a list of recently opened or saved files via typical Windows Explorer-style commons dialog boxes HKCU\Software\Microsoft\Windows\CurrentsVersion\Explorer\ComDIg3 2\OpenSaveMRU 시스템 포렌식 실습

6 This key maintains a list of entries (E.G full file path or commands like cmd, regedit, compmgmnt.MSC) executed using the start>run commands HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU 시스템 포렌식 실습

7 IMPORTANT REGISTRY ENTRIES HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\ HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\ HKCU\Software\Microsoft\Internet Explorer\TypedURLs\ HKCU\Software\Microsoft\Windows\CurrentVersion\ComDIg32\OpenSaveMRU HKCU\Software\Microsoft\Windows\CurrentVersion\ComDIg32\LastVisitedMRU 시스템 포렌식 실습

8 If we want t reactivate on new machine HKCU\Software\Microsoft\Windows\CurrentVersion\Setup\OOBE 시스템 포렌식 실습

9 IF WE CHANGE THE NUMBER OF VALUE DATA. SO, WHEN WE CLOSE IT WE CAN’T OPEN IT 시스템 포렌식 실습

Download ppt "FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 10152146 시스템 포렌식 실습."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
The Windows Registry Adapted from

The Windows Registry Adapted from
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
Real Forensics The hard way. Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed.

Real Forensics The hard way. Data Recovery What data/evidence can you retrieve from a hard drive. Usually dd is good enough Sometimes real help is needed.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry

Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
Https://www.youtube.com/watch?v=HA96GwuvdVM.

© 2009 Autodesk Troubleshooting common installation problems TS14868637 AutoCAD (LT) Product Support By Tom Stoeckel.

© 2009 Autodesk Troubleshooting common installation problems TS AutoCAD (LT) Product Support By Tom Stoeckel.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
1 Macros Presented by Maria G. Martinez. 2 What's a macro?  Macro - set of computer instructions that you can record and associate with a shortcut key.

1 Macros Presented by Maria G. Martinez. 2 What's a macro?  Macro - set of computer instructions that you can record and associate with a shortcut key.
KEY COMPONENTS OF A COMPUTER SYSTEM ANDREW LOLAVAR.

KEY COMPONENTS OF A COMPUTER SYSTEM ANDREW LOLAVAR.
Technology ICT Core: File Management.

Technology ICT Core: File Management.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
How Computers Work. A computer is a machine f or the storage and processing of information. Computers consist of hardware (what you can touch) and software.

How Computers Work. A computer is a machine f or the storage and processing of information. Computers consist of hardware (what you can touch) and software.

Similar presentations

Ads by Google