{"id":337,"date":"2012-10-04T10:58:24","date_gmt":"2012-10-04T10:58:24","guid":{"rendered":"http:\/\/digitalfire.ucd.ie\/?p=337"},"modified":"2012-10-31T15:07:38","modified_gmt":"2012-10-31T15:07:38","slug":"some-pitfalls-of-interpreting-forensic-artifacts-in-windows-registry","status":"publish","type":"post","link":"https:\/\/dfire.ucd.ie\/?p=337","title":{"rendered":"Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry"},"content":{"rendered":"

\"\"<\/a>This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices. Modern forensic literature and tools do not reflect these changes – hence this post.<\/p>\n

WindowsRegistryForensics.zip<\/a><\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-337","post","type-post","status-publish","format-standard","hentry","category-windows-forensics"],"_links":{"self":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/337"}],"collection":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=337"}],"version-history":[{"count":15,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/337\/revisions"}],"predecessor-version":[{"id":1462,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=\/wp\/v2\/posts\/337\/revisions\/1462"}],"wp:attachment":[{"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dfire.ucd.ie\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}