In the first article in this series we looked at free tools for data mirroring, and in this installment we will look at tools available for registry forensics, which involves extracting information and context from a largely untapped source of data and knowing the context that creates or modifies registry data.
Tool: MuiCache View
Whenever a new application is installed, the Windows operating system automatically extracts the application name from the version resource of the exe file and stores it for later use in a Registry key known as the “MuiCache.”
This allows you to easily view and edit the list of all MuiCache items on your system. You can edit the name of the application or you can delete unwanted MUICache items.
Tool: Process Monitor
Process Monitor is an advanced monitoring tool for Windows that shows the real-time file system, Registry, and process activity.
Regshot is a Registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one, which is done after making system changes or installing a new software product.
Results of a comparison between two shots are shown in the following manner:
USBDeview is a small utility that lists all USB devices that are currently connected to your computer, as well as all USB devices that you previously used. For each USB device, extended information is displayed: device name, description, device type, serial number (for mass storage devices), the date and time that device was added, vendor ID, product ID, and more.
USBDeview also allows you to uninstall USB devices that you previously used, to disconnect USB devices that are currently connected to your computer, and to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you log in to that computer as administrator.
In the next article in this series we will look at free tools for disk forensics – stay tuned!
About the Author: Mohit Rawat writes for Infosec Institute and is an engineering graduate and works as a Security Analyst.Specialized in social engineering, penetration testing, application vulnerability assessments, digital forensics investigations and IT security architecture. He works for both public and private sector clients, perform penetration testing, digital forensics investigations and deliver security training to IT professionals.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Leveraging the Windows Registry in Digital Forensics Investigations
- Digital Forensics and Incident Response
- Tales From the Crypto: Case of the Malicious IT Contractor
- Philip Polstra Discusses Digital Forensics
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock