Windows Registry Forensics

The book I read to research this post was Windows Registry Forensics by Harlan Carvey which is an excellent book which I bought from kindle. Computer forensics is based on the principle that anything you do on a computer leaves a trace & any kind of interaction between your computer & any other computer leaves a trace on your computer & on the other computer. It's just a matter of knowing what to look for. There's an example in the book of someone who used windows washer to purge his files & when he examined the computer there was no NTUSER file so he could see that had happened. Also if you use a program like windows washer they might not be able to find what you have purged but they can see when the program was used which is potential evidence. The author has written an open source program called RegRipper which can be downloaded from www.regripper.net which is written in perl so you have to install perl to use it but it enables you to examine the windows registry. A favourite place to examine is windows explorer. You can identify what software has been on that computer by identifying what file types are present. You can identify if a different drive was used with that computer because the letter for that drive will be on there somewhere also any hardware used with that computer will leave its serial number behind from which it can be identified. A favourite trick of some hackers is to say their computer was hacked by a virus & they didn't knowingly hack another computer. This can be proven one way or the other by checking if they used a program to remotely view the other computer which will leave evidence.