Performing Registry Research

In Chapter 6, “Analyzing the Computer,” we used Procmon.exe as a tool to examine the writes made to the registry by the installation of malware or bad code in order to see its impact on the host system. This same tool, Procmon.exe, can be used in a similar manner to see where and how various system settings are stored in the registry.

Although there are an infinite number of possible examples to use, the basic methodology is the same regardless of the example. In essence, we will run ProcMon, start to capture data, make a system setting change, stop the data capture, and examine the writes made to the registry. Naturally, we’ll carry out this process in a known, controlled environment.

Using this methodology, you ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.