Windows Forensic Analysis

Windows Memory Analysis (Windows Forensic Analysis) Part 4

Process Creation Mechanism Now that you know a little bit about the various structures involved with processes, it would be helpful to know something about how the operating system uses those structures, particularly when it comes to creating an actual process. A number of steps are followed when a process is created. These steps can […]

Windows Memory Analysis (Windows Forensic Analysis) Part 5

Memoryze Mandiant’s Memoryze tool provides the analyst with the ability to parse and analyze memory dumps from several versions of Windows. To install Memoryze, download the MSI file from the Mandiant Web site (mentioned previously in this topic) and install it. I chose to install it in the D:\Mandiant directory. Then, to install Audit Viewer, […]

Windows Memory Analysis (Windows Forensic Analysis) Part 6

Extracting the Process Image As you saw earlier in this topic, when a process is launched the executable file is read into memory. One of the pieces of information that you can get from the process details (via is the offset within a Windows 2000 memory dump file to the Image Base Address. As […]

Registry Analysis (Windows Forensic Analysis) Part 1

Introduction To most administrators and forensic analysts, the Registry probably looks like the entrance to a dark, forbidding cave on the landscape of the Windows operating system. Others might see the Registry as a dark door at the end of a long hallway, with the words "Abandon hope, all ye who enter here" scrawled on […]

Registry Analysis (Windows Forensic Analysis) Part 2

Monitoring Changes to the Registry There is really no single, consolidated resource of Registry keys that will be useful in any particular situation. A spreadsheet containing many of the keys that I and others find useful during various types of investigations is included in the ch4 directory on the accompanying media. However, this is not […]

Registry Analysis (Windows Forensic Analysis) Part 3

RipXP The family of RegRipper tools also includes another useful tool that is a variation of, called I chose the name because this is a CLI tool based on that is specific to Windows XP. Windows XP maintains System Restore Points which contain portions of Registry hive files. To run, you […]

Registry Analysis (Windows Forensic Analysis) Part 4

Wireless SSIDs On live systems (most often laptops), Windows will maintain a list of service set identifiers (SSIDs) to which it has connected. If the wireless connections are managed by the Wireless Zero Configuration Service (WZCSVC), this list is maintained in the following Registry key: The GUID in this case is the globally unique identifier […]

Registry Analysis (Windows Forensic Analysis) Part 5

Enumerating Autostart Registry Locations One of the best tools currently available for retrieving information from a great number of autostart locations on a live system is Autoruns, from Microsoft (Version 9.39 is available at the time of this writing from This is an updated tool that comes in both GUI and CLI versions. Figure […]

Registry Analysis (Windows Forensic Analysis) Part 6

USB Device Issues USB removable storage devices have long been known (particularly by security professionals) to pose a threat to security, especially within the corporate infrastructure. Since the days of the floppy disk (even back as far as when these things really were floppy!), the amount of storage capacity has increased as the size of […]

Registry Analysis (Windows Forensic Analysis) Part 7

Finding Users Information about users is maintained in the Registry, in the SAM hive file. Under normal circumstances, this hive is not accessible, even to administrators, not without taking special steps to manually edit the access permissions on the hive. There’s a good reason for this: Although much of the Registry can be "messed with," […]