Monday, July 11, 2011

Windows Shellbags and Timeline Analysis

I have learned about the Windows Registry and the Shellbags, via this good post written Chad Tilbury on the Sans Computer Forensics blog.

These registry keys store the preferences of each folder that has been opened at least one time with Windows Explorer (local,remote, portable devices, etc.). Thus, the simple existence of these entries and the given timestamps indicates that the intruder accessed the resources, being useful as another source of information to perform our timeline analysis.

The article explains that there are some differences between Windows XP and Windows 7 and the author recommends the tool called Sbag from TZworks.

No comments:

Post a Comment