Digital Forensics
HKLM\SAM
%SYSTEMROOT%\SYSTEM32
HKLM\
%SYSTEMROOT%\System32\config\
Software.dat
Installed programs with usernames and passwords
HKEY_CLASSES_ROOT
Keeps track of file-name extension associations and class registra-tions to connect items with the appropriate application.
Lossless Compression
a data compression algorithm that allows the original data to be perfectly reconstructed from the compressed data.
Lossy Compression
data compression techniques in which some amount of data is lost. This technique attempts to eliminate redundant information.
CSP first responders
Specially trained system and network administrators
HKEY_CURRENT_USER - HKCU
Stores user-specific data related...
HKEY_LOCAL_MACHINE
Contains default settings that can apply to all users on the local computer
bit-stream copy
A bit-by-bit duplicate of data on the original storage medium.
Raw Format
A data acquisition format that creates simple sequential flat files of a suspect drive or data set.
Common type 1 hypervisor
Citirix XenServer
Type 1 hypervisor
A virtual machine interface that loads on physical hardware and contains its own OS.
DomainKeys Identified Mail (DKIM)
A way to verify the names of domains a message is flowing through and was developed as a way to cut down on spam
System.dat
Additional computer settings
Pagefile.sys
Can contain message fragments from instant messaging applications
Sparse acquisition
Captures only specific files of interest to the case, but it also collects fragments of unallocated (deleted) data.
computer generated records
Data generated by a computer, such as system log files or proxy server logs.
computer-stored records
Digital files generated by a person, such as electronic spreadsheets.
Forensics Tools can...
Directly mount VMs as external drives
MAC
Metadata in a prefetch file contains an application's _____________ times in UTC format and a counter of how many times the application has run since the prefect file was created.
Common type 1 hypervisor
Microsoft Hyper-V
NTUser.dat
Most recently used files, desktop configuration
HKU\SID
NTUSER.DAT %USERPROFILE%\NTUSER.DAT
SAM.dat
User account management and security settings
Common type 1 hypervisor
VMWare vSphere
HKLM\HARDWARE
Volatile hive created at boot that contains hardware information provided by the BIOS
