Investigating User Activity

The user’s NTUSER.DAT file is loaded with data indicative of the user’s preferences and activity. Just as the SOFTWARE hive file listed software installed on the computer, the Software key of the NTUSER.DAT file contains keys for software installed on the computer. Just as those keys in the local machine SOFTWARE hive file contain entries for software long since deleted, the user’s Software key likewise contains entries of installed software. In addition, the user’s Software key contains data specific to the user. This data can be in the form of searches, usernames, passwords, commands, programs run, or strings entered, and the list goes on. We’ll cover some of the more common and significant data that is specific ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.