Category Archives: Windows Registry Forensics

Windows XP Restore Points

Posted on January 20, 2015 by HatsOffSecurity

I know XP is going the way of the Dodo, which is why I wanted to write this post. As blogs and posts update and keep up with the latest versions of Windows I find it harder and harder to … Continue reading

Posted in Introduction, Windows Forensics, Windows Registry Forensics, Windows XP | Tagged , , , , , , | Leave a comment

USB Forensics Update

Posted on November 25, 2014 by HatsOffSecurity

Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics, Windows Registry Forensics | Tagged , , | 1 Comment

Research: Decoding LanmanServer\Shares

Posted on November 9, 2014 by HatsOffSecurity

For my first fully independent research topic I chose to look at the registry key created when an object is shared. This all started with a job we were investigating recently where the indicators we were given did not turn … Continue reading

Posted in Cyber, Research, Shared Folders, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , , , | 7 Comments

USB Forensics Pt. 3 Discover the Volume Name

Posted on June 7, 2014 by HatsOffSecurity

Part 3 of our investigation is to discover what the Volume Name of the USB device was. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 2 Comments