It is always better to be forthcoming and proactive with breach notifications. Having customers hear about a breach from the company in a controlled message is always better than them hearing about it in a sensationalized news article. This is something I have told countless customers. Unfortunately, when I have said it in the past, […]


What’s in a name? That which we call a profile By any other name would still let us log in.   I recently ran across a case where I needed to prove which user was using which profile folder. Every once in a while, the profile folder name won’t actually be the same as the […]

On Espionage

I recently read an article that included the following quote: “During Chinese President Xi Jinping’s recent state visit, the two countries agreed to a “common understanding” that neither side would engage in or support commercial espionage. The agreement did not address legitimate intelligence espionage.” There is a fundamental misunderstanding of foreign cultures that seems to […]


Named Key cells are the data structures within the Registry that hold the Keys and provide the parent/child data necessary to build the tree. Different documentation calls these Named Keys, Node Keys, or NT Keys. It is unclear which is correct, so I’m going to go with Noodle Keys.   offset length type what is […]


The contents of Registry files are saved in Hive Bins. The previously mentioned header to the Registry file is a 4k block with info about the file as a whole. After that comes a series of blocks that each start with magic signature of “hbin”. These blocks are the containers that all the keys, values, and everything […]


Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file as a whole. Contained within this header are the following: Offset Length Type What is it? x000 4 string Signature: “regf” x004 4 uint32 Sequence Number 1 x008 4 uint32 Sequence Number 2 […]

Registry File Specification

After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the clear winner when it comes to laying this information out in a clean, clear, easy to read format. Metz doesn’t have all of the answers, but unlike the other documents, this one is […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.   First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, […]

Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. But, I want to go deeper. What makes the Registry actually tick.   After a bit of google-fu, I was only able to come up with a handful of pages that actually talk […]


There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) keys, they provide that little bit of history you get in the File menu of certain apps or in the drop-down box where you are specifying a name to open/save a file. Very […]

Collection Scripts

For many years now I’ve tried to do all my live collection on systems via command line scripts. The goal when I wrote the script (and still) is for this to be a fully-automated, single click execution. The reason being is that it allows me to hand the imaging task off to people that are technical […]

Useful Windows Commands

These are useful command lines that are all based on built-in Windows programs. They were tested on Windows 7, but most should be present on WinXP as well. Unlike the previous two blog posts, these are all about what is already present on the system. So, these are things you can do during live collection […]

Utilities by the Thousands

As I was putting together the list of command line tools to make Windows terminal more meaningful, I found myself wanting to list some GUI utilities because I love them so. In order to keep that post focused on the command line, I decided to move the GUI part of the list here. So, below […]

Command Line Happiness

There is no contesting that the command line in a Linux/Mac environment kicks Windows’s cmd.exe without even trying hard. There are entire blogs dedicated to how wonderful it is. But, most of the commercial forensics tools are Windows only, relegating many of us to that environment. My ideal setup is a Mac running Windows inside Fusion, […]


Plist files are found sprinkled throughout OS X and iOS and contain the various configuration settings and other information of use to the OS and applications.

People still use Word macros!?!

I got an interesting email today.     The headers: Received: from ( by ( with Microsoft SMTP Server id 14.2.347.0; Wed, 22 Oct 2014 09:02:52 -0400 Received: by with SMTP id cm18so2352642qab.6 for <[email protected]>; Wed, 22 Oct 2014 06:02:51 -0700 (PDT) X-Gm-Message-State: ALoCoQmf9GbcGqvsr0EmNIh1kGul9vAE9+L+H3zfk+CntPSkas8OLcrLeM9ISXmYIS16W57cL4L/f3pUKDnO10Mmi5n9T9cnDERwdGJaTC2EeaIDxh6tMsRjT3Dn47O9O/05tSlXz5UayMWhvD9Scvhx7fCjrrFSy0WYOv7nsHpSYcCzPY/mADE= X-Received: by with SMTP id c50mr52767444qgc.77.1413982971840; Wed, […]


I’m not sure how I missed it when it came out in 2009, but Peter Norris has put together an absolutely fantastic write up on the internal structures of the Registry. Deep internal knowledge like this is vital when you are finding parts of old registry files in unallocated space, the page file, or memory. […]

RAW Images

Many digital cameras will compress their images into JPEG files, making them much easier to deal with for the average consumer. But, occasionally, you run across those that take their image capturing seriously who will set their cameras to save the files in “RAW Mode”. What that means depends on the model of camera. IrfanView […]

NTFS Fix-Ups

I was asked what this Fix-up thing was that I mentioned in my last post. Fix-ups are used by NTFS to keep track of sectors that are part of specific data structures within the file system. This is done for a variety of reasons: detecting corruption from a failed disk sector, from a failed write, […]

$I30 INDX Parsing

I needed to walk a directory index for another script I was working on. I figured, as long as I was there trying to prototype that, I would just dump out the entire Index. I already have a couple of scripts that do this. One of the major things I noticed when I started working […]

MFT Parsing

So, I was having lunch with my good friend Mike. Great guy. If you get a chance, take Mike to lunch. Anyway, we were discussing how EnCase doesn’t really give the user easy access to the MFT and there is some information in there that doesn’t get parsed by EnCase that could be useful to […]


This is an EnCase EnScript I wrote a few years back.  The original design goal was to implement Sysinternals Autoruns.exe inside EnCase so it could be run against dead drives during forensics cases.  Sysinternals has since reworked Autoruns.exe so it can work against a dead drive, thus limiting the usefulness of this script.  It still […]