tag:blogger.com,1999:blog-9518042.post111211465294640090..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: How good is your Reg-foo?Unknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-1112179525669008312005-03-30T05:45:00.000-05:002005-03-30T05:45:00.000-05:00Thanks, Cory and Jesse...Cory...yes, those keys ar...Thanks, Cory and Jesse...<BR/><BR/>Cory...yes, those keys are fairly well known, but not documented by MS.<BR/><BR/>Jesse..."sometimes the world is not enough" (Pierce Brosnan as James Bond). ;-)H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1112125138839774312005-03-29T14:38:00.000-05:002005-03-29T14:38:00.000-05:00At a minimum, I'd like to see:* Every MRU list ava...At a minimum, I'd like to see:<BR/><BR/>* Every MRU list available This includes lists belonging to well known programs and any key involving the phrases "MRU" or "Most Recently Used". This should also pick up how many MRU entries are recorded. (For example, if ten are supposed to be recorded but there are only four entries, I want to know that.)<BR/><BR/>* The identity of every USB device ever connected to the system, along with when. Preferrably with the manufacturer and model number highlighted.<BR/><BR/>* A list of well-known programs that have ever been installed and whether or not they are still currently installed. Check for registry keys of MS Word, John the Ripper, AIM, et al, and see if they match known patterns of "currently installed" or "installed but then removed"<BR/><BR/>* The customer name and company name used to register any software, such as MS Word or Adobe Acrobat.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1112120537653035992005-03-29T13:22:00.000-05:002005-03-29T13:22:00.000-05:00Just a quick one for now, possibly well known, may...Just a quick one for now, possibly well known, maybe not.<BR/><BR/>Data found in "Count" keys - MRU items that are ROT13 "ciphered" - will be missed by standard string searching. Now why is that? >:)<BR/><BR/>More info here: http://www.wilderssecurity.com/archive/index.php/t-11056.html<BR/><BR/>And in your local registry hives. :)Anonymousnoreply@blogger.com