Scribd
Upload
70 views

registry_forensic_cheatsheet_v1

The document is a forensic cheatsheet detailing various registry locations and tools for extracting information about active users, system configuration, network connections, and user activities on a Windows system. It highlights the use of tools like Registry Explorer, ShellbagExplorer, and AmcacheParser to analyze registry data for insights into user actions and potential security incidents. Key registry paths are provided for accessing data related to user accounts, system settings, network configurations, and recent file access.

Uploaded by

yazeedxgemar1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views

registry_forensic_cheatsheet_v1

The document is a forensic cheatsheet detailing various registry locations and tools for extracting information about active users, system configuration, network connections, and user activities on a Windows system. It highlights the use of tools like Registry Explorer, ShellbagExplorer, and AmcacheParser to analyze registry data for insights into user actions and potential security incidents. Key registry paths are provided for accessing data related to user accounts, system settings, network configurations, and recent file access.

Uploaded by

yazeedxgemar1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

registry forensic cheatsheet v1

list of active users


SAM\Domains\Account\Users

tool: Registry Explorer


note: It also can gives us any deleted user information.

system configuration, operating system information, network


information, timezone information etc.
SYSTEM\ControlSet001

SYSTEM\CurrentControlSet

tool: Registry Explorer


note: you may find 2 different control sets. They are numbered as “001” and “002”.
The first control set refers to the configuration under use by the system and the
second one refers to the last working config. It can act as a backup in case of failure.

note: you may not find "CurrentControlSet" using “Registry Explorer“ which does not
persist on disk but rather in memory.

operating system version, architecture, build number of the


computer, etc.
SOFTWARE\Microsoft\Windows NT\CurrentVersion

tool: Registry Explorer

note: this can help us in case of exploits being used, we can find vulnerabilities for
that specific build no

networks the system has connected to


SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

tool: Registry Explorer


note: We can find the network SSID(s), whether it was ethernet or wireless, the first
time it was connected to the PC, the last time it was active on the PC and the MAC

registry forensic cheatsheet v1 1


address of the router providing that connection.

Open network shares on the system


SYSTEM\CurrentControlSet\services\LanmanServer\Shares

tool: Registry Explorer

note: This information can help us for uncovering attacker lateral movement
techniques, which shares were accessible to/from the compromised machine.

TCP/IP configuration and interfaces information


SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Shellbags
NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU

NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\Bags

USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

tool: ShellbagExplorer

note: It can provide insight into the user's activities and the folders that they have
accessed.

Shimcache
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

tool: AppCompatCacheParser

note: by analyzing the shimcache, an investigator can determine which programs


were run by the user, and when they were run. This can be useful in determining the
actions of a user for an incident or an event of interest.

Amcache
C:\Windows\AppCompat\Programs\Amcache.hve

registry forensic cheatsheet v1 2


AMCACHE\{GUID}\Root\InventoryApplicationFile

tool: AmcacheParser
note: help hunting persistent or undetected malwares.

note: Amcache more reliable evidence of execution in contrast to shimcache

Recent Files
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\{.extension}

tool: Registry Explorer

note: can be classified as evidence of access rather than evidence of execution.

Dialogue Boxes MRU


NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

tool: Registry Explorer

registry forensic cheatsheet v1 3

You might also like