What’s in a name? That which we call a profile By any other name would still let us log in.   I recently ran across a case where I needed to prove which user was using which profile folder. Every once in a while, the profile folder name won’t actually be the same as the […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.   First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, […]


There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) keys, they provide that little bit of history you get in the File menu of certain apps or in the drop-down box where you are specifying a name to open/save a file. Very […]


Plist files are found sprinkled throughout OS X and iOS and contain the various configuration settings and other information of use to the OS and applications.


This is an EnCase EnScript I wrote a few years back.  The original design goal was to implement Sysinternals Autoruns.exe inside EnCase so it could be run against dead drives during forensics cases.  Sysinternals has since reworked Autoruns.exe so it can work against a dead drive, thus limiting the usefulness of this script.  It still […]