🧠 Registry Analysis Guide – What to Look for at the Analysis Phase

✅ Tools Used:\ Registry Explorer | ShellBags Explorer | RegRipper

🎯 First: Goal of the Analysis Phase

After acquiring the Registry Hives files, we analyze them to gather accurate forensic information that helps in:

🔍 What to Look For	🧩 Why?	📁 Path	🛠️ Tool	🧪 Analytical Notes
🖥️ Computer Name	Identify the machine involved	`ControlSet001\Control\ComputerName\ComputerName`	RegRipper: `compname`	Useful in large networks to correlate with network logs
⏰ Time Zone	Interpret timestamps correctly	`ControlSet001\Control\TimeZoneInformation`	`timezone`	May reveal date manipulation in anti-forensic attempts
🌐 Network Interfaces	Identify networks connected to the device	`Services\Tcpip\Parameters\Interfaces`	Manual or RegRipper Plugin	Compare internal IPs with DHCP logs or network records
🔌 Mounted Devices	Track connected external storage	`MountedDevices`	`mountdev`	Might reveal USB drives used for exfiltration or live OS like Kali
📱 USBSTOR Artifacts	Track USB devices history	`Enum\USBSTOR`	Manual	Shows device type (e.g., "SanDisk", "iPhone"); helpful in approximating connection time

🔍 What to Look For	🧩 Why?	📁 Path	🛠️ Tool	🧪 Analytical Notes
💻 Installed Programs	Discover what tools/software were installed	`Microsoft\Windows\CurrentVersion\Uninstall`	`uninstall`	Look for apps like: `TeamViewer`, `AnyDesk`, `Wireshark`, `Tor`, or hacking tools
🌐 Typed URLs (IE)	Analyze user activity on Internet Explorer	`Microsoft\Internet Explorer\TypedURLs`	`typedurls`	May include login pages, bank portals, or targeting pages
🧭 Last Used Keys	Track what the user viewed in Regedit	`Applets\Regedit\LastKey`	Manual / `recentdocs`	Might indicate attempts to modify or monitor sensitive keys

Each user has a different NTUSER.DAT file\ It contains details about user behavior and interactions with the system

🔍 What to Look For	🧩 Why?	📁 Path	🛠️ Tool	🧪 Analytical Notes
📂 File MRUs (Recent Files)	Analyze recently opened documents	`Office\<ver>\Word/Excel\File MRU`	`officeMRU`	May contain sensitive documents or drafted malicious content
▶️ Run MRU	Programs run manually by the user	`Explorer\RunMRU`	`runmru`	Commands like `cmd`, `powershell`, `nc.exe` may indicate suspicious activity
🔍 WordWheelQuery	Keywords searched in the system	`Explorer\WordWheelQuery`	`wordwheel`	Look for terms like “VPN”, “delete logs”, or suspicious filenames
🧳 ShellBags	Track folders browsed by the user	`Shell\BagMRU` and `ShellNoRoam`	`ShellBags Explorer`	ShellBags preserve folder history even after deletion – useful in proving hidden evidence
🔐 UserAssist	Programs launched via GUI	`Explorer\UserAssist`	`userassist`	Logs most app executions even if they don't show in recent files

🔍 What to Look For	🧩 Why?	📁 Path	🛠️ Tool	🧪 Analytical Notes
👥 User Accounts	List all local accounts	`SAM\Domains\Account\Users\Names`	`samparse`	Look for suspicious or new accounts like `adm1n`, `test123`

🔍 Hive	🧠 Key Points to Verify
`SYSTEM`	ComputerName, TimeZone, Interfaces, Mounted Devices, USBSTOR
`SOFTWARE`	Installed Software, IE TypedURLs, Last Registry Keys
`NTUSER.DAT`	File MRU, RunMRU, WordWheel, ShellBags, UserAssist
`SAM`	User accounts, creation time, privileges

MountedDevices → show connection order of devices
USBSTOR → reveals device names, can be correlated with CCTV logs or network evidence