Ed Skoudis, Contributor
When analyzing a compromised Windows system, investigators and system
administrators can glean enormously useful information about
attackers' actions by looking through the Windows registry, a
hierarchical database storing tens of thousands of settings on a
modern Windows box. Whether an outside attacker compromised the box,
an inside employee engaged in nefarious activities, or malware
inexplicably infected the machine, the Windows registry contains
wonderful gems of information for investigators. In this tip, we'll
look at what information investigators can gather about user activity
via the registry.
Interacting with the registry
While there are several ways for investigators to interact with the
registry, two of the most useful are the built-in regedit GUI-based
tool and the reg command-line tool. Regedit has been included in
Windows for over a decade, while the reg command is only included in
more modern Windows machines, such XP Pro, 2003 Server, Vista and
2008 Server.
Read this tip:
http://go.techtarget.com/r
Listen to this tip on your PC or favorite MP3 player:
http://go.techtarget.com/r
Subscribe to Threat Monitor and our other security podcasts:
http://feeds.feedburner.com
No comments:
Post a Comment