Dat file and click open and load the hive. So let's take a look, let's bring up registry explorer and if you haven't already done so please go ahead to file, load hive, navigate out to where you saved that into user. Dat HI file that we exported from our virtual machine images.
The items we will be using in this section are going to be registered explorer, decode and the Ivan NT user. We will see GUID instead of the route 13 and each of these sub key, GUID will correspond to an application and this is going to show us applications and files that were executed through that specific application. This also tracks recently used applications similar to user assist, but this key goes a little deeper as we're going to take a look at shortly. In this section, we're going to take a look at the recent apps sub key.
We also took a look at user assist program execution by a specific user. We took a look at the type URLs subkey for Internet Explorer, URLs typed in or completed by the auto complete or the drop down box. What we've covered so far in course 3, a quick review, we've covered the recent docs sub key and we took a look at the most recently used the MRU lists and how we read those, how those are interpreted. And in this section we're going to be covering recent applications, recent apps which is a sub key in the NT user.
RECENTAPPS REGISTRY FORENSICS WINDOWS
Back to Windows registry forensics, course 3 we are covering the NT user.dat registry file.
0 kommentar(er)
