Registry research
Is anyone out there doing research into the Windows Registry, from a forensic perspective?
I know that there are viewers available to allow you to see what's in the raw Registry files, and that these viewers are available for a variety of platforms. That's not what I'm looking for.
I'm also aware of the lists of Registry keys that are available, particular the one from AccessData that seems to be pretty popular. While it is a good starting point, there really isn't enough information about the keys/values in the list, and what causes them to be created, modified, or deleted to be useful beyond a certain point.
What I'm asking here is this...is anyone doing research into the conditions that cause various keys/values to be added to, modified, or deleted from the Registry (this also applies to the LastWrite time associated with Registry keys)? This is extremely important in the area of Windows forensic analysis, as it adds context to what the investigator sees.
Some things are obvious (though they could be better documented) such as the TypedURLs key...values are added when the user types a URL into the Address bar of IE. Other things aren't so obvious, such as what causes the LastWrite time of the unique ID key for a USB removeable storage device to be updated?
Is there anyone out there doing this kind of research? At the least, I'd like to consolidate a list of links. Ideally, I'd like to see the efforts themselves consolidated and optimized.
I know that there are viewers available to allow you to see what's in the raw Registry files, and that these viewers are available for a variety of platforms. That's not what I'm looking for.
I'm also aware of the lists of Registry keys that are available, particular the one from AccessData that seems to be pretty popular. While it is a good starting point, there really isn't enough information about the keys/values in the list, and what causes them to be created, modified, or deleted to be useful beyond a certain point.
What I'm asking here is this...is anyone doing research into the conditions that cause various keys/values to be added to, modified, or deleted from the Registry (this also applies to the LastWrite time associated with Registry keys)? This is extremely important in the area of Windows forensic analysis, as it adds context to what the investigator sees.
Some things are obvious (though they could be better documented) such as the TypedURLs key...values are added when the user types a URL into the Address bar of IE. Other things aren't so obvious, such as what causes the LastWrite time of the unique ID key for a USB removeable storage device to be updated?
Is there anyone out there doing this kind of research? At the least, I'd like to consolidate a list of links. Ideally, I'd like to see the efforts themselves consolidated and optimized.