Category Archives: Windows Registry Forensics

Force Enabling ReadyBoost Windows 7/8

Posted on May 31, 2015 by HatsOffSecurity

Whilst writing a presentation on USB Forensics, I was hit with a problem with ReadyBoost being disabled on my Virtual Machine. The message would read This device cannot be used for ReadyBoost. ReadyBoost is not enabled on this computer because … Continue reading

Posted in ReadyBoost, USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , | 20 Comments

Mounted Devices Key

Posted on December 4, 2014 by HatsOffSecurity

Here is a screen capture of a Mounted Devices key. As you can see it can appear quite daunting. In a previous blog post I covered how a USB Mass Storage devices would simply convert ASCII to Hex and use … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , , , | 2 Comments

USB Forensics Update

Posted on November 25, 2014 by HatsOffSecurity

Update #1 This is a late update to USB Forensics Part 4 – Volume Serial Number An important side note: As I have done more investigations I realised that this key will not be populated if the machine is deemed … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics, Windows Registry Forensics | Tagged , , | 1 Comment

USB Forensics Final Part! (aka Pt. 7) Device first/last plugged in

Posted on June 18, 2014 by HatsOffSecurity

The USB forensics thread can continue until the end of time, or at least the end of my free space on here, with this in mind I am only showing you the basics of USB forensics. I may cover more … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 1 Comment

USB Forensics Pt. 6 Which user account used the USB device

Posted on June 17, 2014 by HatsOffSecurity

Having all this information is all well and good, but right now all we can say for sure is that a USB device was used on this machine. Just because someone logged on to that machine doesn’t make them the … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | Leave a comment

USB Forensics Pt.5 Determine the Drive Letter

Posted on June 15, 2014 by HatsOffSecurity

Finding the last Drive letter used by the USB device is actually quite simple…. or at least it should be! Go to the following Key: SYSTEM\MountedDevices Each drive letter is listed, however in my example on the VM the E: … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 1 Comment

USB Forensics Pt. 4 Volume Serial Number

Posted on June 8, 2014 by HatsOffSecurity

On to Part 4 of our ongoing discoveries about USB forensics. A quick recap So far we have managed to get details of two devices which have been connected to our image. We have looked at how to get: Unique … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 1 Comment

USB Forensics Pt. 2 Vendor ID (VID) & Product ID (PID)

Posted on June 7, 2014 by HatsOffSecurity

In Part 1 we discussed how to find the Unique Serial Number ID for the USB devices historically connected to the device you are investigating. The next step is a simple one, finding the VID & PID (I say simple, … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , , | Leave a comment

USB Forensics Pt. 1 Serial Number

Posted on June 5, 2014 by HatsOffSecurity

Forensicating USB devices can be a arduous task, as such I am going to break it down into byte (get it) size chunks. In order to get the Serial number from a USB device we must start our investigation on … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , | 1 Comment

RegBack Folder Update Times

Posted on May 29, 2014 by HatsOffSecurity

Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment