Case Studies

User Hives

Abstract

This chapter discusses a great deal of the data that can be extracted from Registry hives found within a user profile in order to illustrate indicators of patterns of activity. This information can be used by analysts to demonstrate when the user was logged into the system, as well as locate indicators of malware infections, intrusions, and a number of other activities.

Keywords

MuiCache; NTUSER.DAT; RecentDocs; Registry; User; UserAssist; USRCLASS.DAT; WordWheelQuery

Information in this chapter

• NTUSER.DAT

• USRCLASS.DAT

Introduction

When first I sat down to write this book, it occurred to me that this chapter…one about tracking user activity…might be the most useful and interesting ...

Get Windows Registry Forensics, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Registry Forensics, 2nd Edition by Harlan Carvey

Case Studies

User Hives

Abstract

Keywords

Introduction

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly