1. MRU Lists (Most recent used lists)
NTUSER.DAT for particular user (If we use Registry explorer in my case c:\users\user\ntuser.dat)
Look For Last Visited MRU as well as Recent docs(Highlighted into screenshot)
Each MRU list maintains the order of the most recent additions to a registry key. This order can provide valuable insights into user activity.
MRU lists help investigators understand the sequence of data populating a specific key.
The last write time of a key indicates the time when the first entry in the MRU list occurred.
For example, the last write time of the Microsoft Office .docx file might correspond to the time when the file was last opened. The subsequent values in the MRU list indicate the order of recent activity, typically sorted from most recent to oldest.
2. Run Registry:
Online -via regedit
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Offline- Via registry explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
3. Deleted registry key values:
Privacy cleaner's leftovers can easily be viewed using Registry Explorer. Notice the
deleted keys and that each of the sub keys are still visible. In every case, the original data could be recovered.
4. Collecting user information:
SAM profiling user/groups
(i) Username
(ii) RID
(iii) User login information
-Last login
-last failed login
-login count
-password policy
-account creation time
(iv) Group information
-Administrator
-users
-remote desktop users
When examining the SAM hive in Registry Explorer, we can easily locate the Relative Identifier (RID) associated with a user account(In my case User ID is RID) , as well as other pertinent details. For example, we can identify the RID for a user like Guest os 501, which helps us track his activities on the system. Additionally, Registry Explorer provides insight into important timestamps, including the last login time and the time of the last password change.
Akash Patel
Comments