regf
Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file […]
Month: January 2015
Registry File Specification
After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the […]
Registry Overview
The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look […]
Registry Internal Structure
Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. […]
MRU
There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) […]
Collection Scripts
For many years now I’ve tried to do all my live collection on systems via command line scripts. The goal when I wrote […]
Useful Windows Commands
These are useful command lines that are all based on built-in Windows programs. They were tested on Windows 7, but most should […]
Utilities by the Thousands
As I was putting together the list of command line tools to make Windows terminal more meaningful, I found myself wanting to […]
Command Line Happiness
There is no contesting that the command line in a Linux/Mac environment kicks Windows’s cmd.exe without even trying hard. There are entire blogs […]
Bulk Extract EXIF
I was asked not too long ago about how to extract metadata from inside a file. Easy, I said. I then proceeded […]
Plists
Plist files are found sprinkled throughout OS X and iOS and contain the various configuration settings and other information of use to the OS and applications.