Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

COMP41590_Advanced_Computer_Forensics > Registry of Interests > Flashcards

Registry of Interests Flashcards

1
Q

What is HKLM\System\CurrentControlSet ?

A

It is an alias to HKLM\System\ControlSet001 and ControlSet002.
The ControlSet is dynamically generated during the boot process.

The CurrentControlSet can not be found in the registry, when loading the hive files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you verify which ControlSet was last used, without the CurrentControlSet alias key?

A

HKLM\System\Select

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where can the Time Zone Information be found in the registry ?

A

HKLM\System\CurrentControlSet\Control\TimeZoneInformation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Where in the registry is more system information available ?

A

HKLM\Software\Microsoft\WindowNT\CurrentVersion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where can the Last Shutdown time be found in the registry ?

A

HKLM\System\CurrentControlSet\Control\Windows\
Shutdowntime contain the timestamp as a 64 bit hex value.
This can be decode with the tool DCode v4.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Where can traces of installed program’s be found ?

A
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLU\Software\
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Where can the pagefile settings be found in the registry ?

A

HKLM\System|CurrentControlSET\Control\Session Manager\MemoryManagement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Where can be found which devices are mounted on the system ?

A

HKLM\System\MountedDevices

2 types of data:
- short = used for IDE/SCSI drives
- long = used for USB Removeable drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is USBSTOR and where is it located?

A

When a USB storage device is plugged into a computer, Windows assigns it a unique identifier called a device instance ID. This ID is stored in the USBSTOR registry key along with other information about the device.

HKLM\System\CurrentControlSet\Enum\USBSTOR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where can the First insert date be found in the USBSTOR ?

A

The USBSTOR stores the dates in different keys called:

  • 0064 = First insertion date
  • 0065 = Insertion date
  • 0066 = Last insertion date
  • 0067 = Last removal date
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where else can information about USB timestamps found in the registry ?

A

HKLM\System\CurrentControlSet\Enum\USB

USBSTOR manufactor product, iserial number

USB iserial number, vendor ID, product ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where can the Assigned IP addresses be found on the system?

A

HKLM\System\CurrentControlSet\Service\TCPip\parameters\interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Where can the Assigned IP addresses be found on the system?

A

HKLM\System\Microsoft\WindowsNT\CurrentVersion\Networklist\Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where can User traces be found in the registry ?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are User Shell folders ? And where are the located ?

A

User Shell Folders holds all the default user folders such as: Documents, Download etc …

The location of these User Shell Folder can be changed to another disk or encrypted disk.

Highest = HKCU User Shell Folders
= HKCU Shell Folder (default)
= HKLM User Shell Folders
Lowest = HKLM Shell Folder (default)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Where can the MRU list for the UserAssist be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

17
Q

Where can the MRU list for the RecentDocs be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

18
Q

Where can the MRU list for the MS Office recently opened files be found ?

A

HKCU\Software\Microsoft\Office\14.0\Word\File

19
Q

Where can the MRU list for the TypedURLs be found?

A

HKCU\Software\Microsoft\​Microsoft\Internet Explorer\TypedURLs

20
Q

Where can the MRU list for the TypedURLsTime be found?

A

HKCU\Software\Microsoft\InternetExplorer\TypedURLsTime

21
Q

Where can the MRU list for the OpenSaveMRU be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

22
Q

Where can the MRU list for the CIDSizeMRU be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

23
Q

Where can the MRU list for the LastVisitedPidMRU be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

24
Q

Where can the MRU list for the Search Assistants MRU be found?

A

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

25
Q

Where can the MRU list for the Encrypted Storage be found?

A

HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

COMP41590_Advanced_Computer_Forensics (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions