Chapter 9 Registry Evidence

In the previous chapter, we discussed the registry structure and some research techniques. While pursuing the latter, we showed you that there is considerable potential evidentiary data in the registry. Sometimes you already have the tools that the intruder used and can test them to determine their tracings, or footprint, on a victim system. In other cases, you won’t have that luxury, and you’ll have to begin by looking for those signs in areas where they are commonly hidden or using other shortcuts or techniques to locate them.

Every examination is somewhat different, but within a group of attackers, you can find similarities since they often use shared methodologies and tools. Despite these similarities, there will ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Windows Network Forensics and Investigation, 2nd Edition by

Chapter 9

Registry Evidence

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly