This Information Security blog is about my views and experiences in the information security, computer forensics and incident response industry as a student, professional and educator.
Thursday, June 5, 2008
WINDOWS REGISTRY FORENSICS GUIDE: INVESTIGATING HACKER ACTIVITIES
WINDOWS REGISTRY FORENSICS GUIDE: INVESTIGATING HACKER ACTIVITIES Ed Skoudis, Contributor
When analyzing a compromised Windows system, investigators and system administrators can glean enormously useful information about attackers' actions by looking through the Windows registry, a hierarchical database storing tens of thousands of settings on a modern Windows box. Whether an outside attacker compromised the box, an inside employee engaged in nefarious activities, or malware inexplicably infected the machine, the Windows registry contains wonderful gems of information for investigators. In this tip, we'll look at what information investigators can gather about user activity via the registry.
Interacting with the registry While there are several ways for investigators to interact with the registry, two of the most useful are the built-in regedit GUI-based tool and the reg command-line tool. Regedit has been included in Windows for over a decade, while the reg command is only included in more modern Windows machines, such XP Pro, 2003 Server, Vista and 2008 Server. Read this tip: http://go.techtarget.com/r/3788298/5749008 Listen to this tip on your PC or favorite MP3 player: http://go.techtarget.com/r/3788299/5749008 Subscribe to Threat Monitor and our other security podcasts: http://feeds.feedburner.com/techtarget/fHup