Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Windows Forensics Analyst Field Guide

You're reading from   Windows Forensics Analyst Field Guide Engage in proactive cyber defense using digital forensics techniques

Arrow left icon
Product type Paperback
Published in Oct 2023
Publisher Packt
ISBN-13 9781803248479
Length 318 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Muhiballah Mohammed Muhiballah Mohammed
Author Profile Icon Muhiballah Mohammed
Muhiballah Mohammed
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Part 1:Windows OS Forensics and Lab Preparation
2. Chapter 1: Introducing the Windows OS and Filesystems and Getting Prepared for the Labs FREE CHAPTER 3. Chapter 2: Evidence Acquisition 4. Chapter 3: Memory Forensics for the Windows OS 5. Chapter 4: The Windows Registry 6. Chapter 5: User Profiling Using the Windows Registry 7. Part 2:Windows OS Additional Artifacts
8. Chapter 6: Application Execution Artifacts 9. Chapter 7: Forensic Analysis of USB Artifacts 10. Chapter 8: Forensic Analysis of Browser Artifacts 11. Chapter 9: Exploring Additional Artifacts 12. Index 13. Other Books You May Enjoy

Looking at the NTUSER.DAT, Amcache, and SYSTEM hives

When investigating a Windows system for potential cyber-attacks, one of the most important pieces of information that a forensic examiner can gather is evidence of execution. As mentioned earlier, evidence of execution refers to artifacts left behind by programs that have been run on a system and can provide valuable insights into the activities that occurred on the system. Understanding how to analyze and interpret these artifacts is essential to conducting effective Windows forensics investigations.

Evidence of execution can take many different forms, including file metadata, registry entries, and log files.

The NTUSER.DAT file is another important artifact to consider when analyzing evidence of execution. The NTUSER.DAT file is a registry hive that contains configuration settings for the user account currently logged on to a Windows system. It contains information about the programs that have been run on the system, including...

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image