>> Having learned how Windows file systems work, we now start to look into oneof the most important Windows artifacts, the registry for forensic analysis.
>>了解了Windows文件系统的工作原理后,我们现在开始研究最重要的Windows工件之一,法医分析注册表。
The Windows registry is a system-defined hierarchical database, starting with Windows 95,all versions of Microsoft Windows include registry.
Windows注册表是一个系统定义的分层数据库,从Windows 95开始,所有版本的Microsoft Windows都包含注册表。
Windows operating systems, applications, and its services rely on registryto store and retrieve configuration data.
Windows操作系统、应用程序及其服务依赖于registry来存储和检索配置数据。
Registry contains the information about hardware, user information and preference,application, and the network configurations.
注册表包含有关硬件、用户信息和首选项、应用程序和网络配置的信息。
What can you possibly find from registry files?
你能从注册表文件中找到什么?
Registry stores important information that will help your investigations.
注册表存储重要信息,以帮助您的调查。
For instance, usernames and the passwords for programs, emails, and the internet sites.
例如,程序、电子邮件和internet站点的用户名和密码。
Internet sites visited in the past, along with access and the download date and thetime, a record of internet queries, recently accessedthe files, a list of programs being stored on a system, what type of USB's have beenconnected to the suspect machine.
过去访问过的网站,以及访问和下载日期和时间,互联网查询记录,最近访问过的文件,存储在系统中的程序列表,USB连接到可疑机器的类型。
The list goes on and on.
这样的例子不胜枚举。
Registry organizes information in a hierarchical tree structure.
注册表以层次树结构组织信息。
For example, HKEY, current user defines the preferences of the current user rangingfrom environment variables and settings, printers, network connections to application preferences.
例如,HKEY,当前用户定义当前用户的首选项,范围从环境变量和设置、打印机、网络连接到应用程序首选项。
HKEY_local_machine defines the physical state of the computer, including the BUS type,system memory, and installed hardware and software.
HKEY_local_machine定义计算机的物理状态,包括总线类型、系统内存和已安装的硬件和软件。
All information is stored in three parts, it's name, type, and the value.
所有信息都存储在三个部分中,即名称、类型和值。
Windows stores registry in separate binary files called hives.
Windows将注册表存储在称为hives的独立二进制文件中。
Forensic investigators usually dump out registry hives for analysis.
法医学调查人员通常会把登记处的蜂箱倒出来进行分析。
Windows 95 and 98, registry is comprised of Windows system.dat and a Windows user.dat.
注册表由Windows 95和Windows 98组成。和一个Windows用户。
From Windows NT and later, registry is comprised of several hive files, system, SAM, security,and software that are located in the directory in Windows 32 config.
从Windows NT开始,registry由几个hive文件、系统、SAM、安全性和位于Windows 32 config目录中的软件组成。
This hive file stored information for HKEY_local_machine.
这个hive文件存储了HKEY_local_machine的信息。
There's one NT user at that registry file for each user account.
对于每个用户帐户,注册表文件中都有一个NT用户。
This are located in C, documents and settings, and the user, or under C, users.
这是位于C、文档和设置中的用户,或在C下的用户。
NTuser.dat contains registry information for HKEY current user.
NTuser。dat包含HKEY当前用户的注册表信息。
Let's look at each registry hive file to find out what information you can get from thesefiles.
让我们看看每个注册表单元文件,看看您可以从这些文件中获得哪些信息。
SAM contains user account information and the log on passwordsfor all users and groups on a system.
SAM包含用户帐户信息和系统上所有用户和组的登录密码。
SAM stores user information under their security identification, also known as SID.
SAM将用户信息存储在其安全标识(也称为SID)下。
A SID is an alphanumerical character strings assigned to each user.
SID是分配给每个用户的字母数字字符串。
Windows use SIDs to uniquely identify users and their group membership, and to grantor deny access and privileges to resources.
Windows使用sid来惟一地标识用户及其组成员,并授予或拒绝对资源的访问和特权。
The last four characters in SID, also known as relative ID, or RID,identifies specific users in the SAM file.
SID中的最后四个字符,也称为相对ID,或RID,标识SAM文件中的特定用户。
Therefore, forensic investigators use SAM to resolve usernames from number strings.For example, it mapped our ID off 1002, to Yin Pan's account.
因此,法医调查人员使用SAM从数字字符串中解析用户名。例如,它将我们的ID映射到1002,映射到Yin Pan的帐户。
SAM also stores the last logon time for a user.
SAM还存储用户的最后登录时间。
At SAM -- at the director of our ID, under F. You can match a username stored in RIDunder V values to his or her last logon time stored in RID under F values.
在SAM——在我们ID的director,在F下,您可以将存储在RID中V值下的用户名与存储在RID中F值下的上一次登录时间相匹配。
Registry viewer from FTK interprets its information automatically for you.
FTK的注册表查看器自动为您解释其信息。
I will have a demo in another video.
我将在另一个视频中进行演示。
With this information, you can find out who was logged on when an incident happened.
有了这些信息,您就可以知道谁在事件发生时登录了。
What information can you get from the system hive file?
您可以从系统hive文件中获得什么信息?
The system registry hive stores the computer name, device drivers,along with their driver letter mappings, system configurationsand the setup, and other information.
系统注册表单元存储计算机名称、设备驱动程序,以及它们的驱动程序字母映射、系统配置和设置,以及其他信息。
Forensic investigators use system to first determine which control set is activeby expanding the registry tree to view the select key.
法医调查人员首先通过展开注册表树查看选择键来确定哪个控制集是活动的。
Once its selected the control set, it can follow the path and they can get systems name,time zone information, and the mounted devices drive letter, under computer name,time zone information, and mounted devices.
一旦它选择了控制集,它就可以沿着该路径,它们可以获得系统名称、时区信息和已安装设备的驱动器号,在计算机名称、时区信息和已安装设备下。
In forensic examination, the first step for the examiner is to identify the time zonefrom the suspected system and set the correct time zone for investigation.
在法医检验中,检验人员的第一步是从可疑系统中识别出时区,并为调查设定正确的时区。
Using a wrong time zone will provide inaccurate timelines for every event on a suspect machine.
使用错误的时区将为可疑机器上的每个事件提供不准确的时间线。
System also includes information, such as the USB type,and when was the USB inserted to a system.
系统还包括信息,如USB类型,以及何时将USB插入系统。
This interesting data is stored under control set, enum, and the USBSTOR.
这个有趣的数据存储在control set、enum和USBSTOR下。
Besides USB types information, Windows 8 and the later version also added USB last insertionand the removal time stamps, under registry device properties.
除了USB类型信息外,Windows 8和后来的版本还在注册表设备属性下添加了USB最后一次插入和删除时间戳。
To verify this piece of information, you can examine the Windows event log.
要验证此信息,您可以检查Windows事件日志。
Since Windows 7, the Windows event log records the connectionand the disconnection events associated with the device.
自Windows 7以来,Windows事件日志记录与设备相关的连接和断开事件。
Particularly, event ID 2003 associated with USB connected, and the event ID to 2100, or2102, associated with USB disconnected.
特别是与USB连接相关联的事件ID 2003,以及与USB断开连接相关联的事件ID到2100或2102。
With different operating systems, this event number may vary.
对于不同的操作系统,这个事件编号可能会有所不同。
But this will give you an idea for what to look after.
但这将给你一个主意,什么要照顾。
The software registry file contains all programs alongwith their settings being stored on the current system.
软件注册表文件包含所有程序及其设置存储在当前系统上。
Forensic investigators use software file to find information, such as registered owner,registered organization, product ID, product name, and install date.
法医调查人员使用软件文件查找信息,如注册所有者、注册组织、产品ID、产品名称和安装日期。
NT user is a registry file that stores user specific information.
NT user是存储用户特定信息的注册表文件。
If users visited and accessed a restricted website or application,their confidential user credentials would be saved under protected storage information.
如果用户访问和访问受限制的网站或应用程序,其机密用户凭证将被保存在受保护的存储信息中。
Other information includes, but not limited to, recently run programs, recently openedor saved files, recently accessed networks, web browser usage and password,and the user preference settings.
其他信息包括但不限于最近运行的程序、最近打开或保存的文件、最近访问的网络、web浏览器的使用和密码以及用户首选项设置。
In this lecture, I only showed some examples of how registry information can help for caseinvestigation.
在这节课中,我只展示了一些注册信息如何帮助案例调查的例子。
To learn more registry uses for forensic analysis, I suggest you to read the registry quick findchart from access data included in the unit resource.
要了解更多注册表用于法医分析,我建议您阅读注册表快速查找图表从访问数据包括在单位资源。
Registry files are very important for investigation.
注册表文件对于调查非常重要。
How do we access and view the registry files?
我们如何访问和查看注册表文件?
In previous units, we saw that both FTK imager and Volatility can extract registry hivesfrom a running machine or from system memory.
在以前的单元中,我们看到FTK imager和volatile都可以从运行中的机器或系统内存中提取注册表蜂箱。
Registry Viewer from access data allows you to easily view registry key and values.
来自access data的注册表查看器允许您轻松查看注册表键和值。
Later, there's a video for showing how to use registry viewer to analyze registry files.
稍后,有一个视频展示如何使用注册表查看器来分析注册表文件。
EnCase passes the registry files from their directories and present themin a familiar tree structured view.
EnCase从目录中传递注册表文件,并将它们呈现在熟悉的树结构视图中。
Registry Explore is a free GUI based tool to view the contents of offline registry hives.
注册表探索是一个免费的基于GUI的工具,以查看离线注册表蜂箱的内容。
It also provide a search function using strings or regular expressions.
它还提供了一个使用字符串或正则表达式的搜索函数。
RegRipper, a free tool by Harlan Carvey, is a registry analyzer,working on extracted registry hives.
RegRipper是Harlan Carvey的免费工具,是一个注册表分析器,用于提取注册表蜂箱。
It use plug-ins to retrieve past and translate registry values into readable information.
它使用插件检索过去的注册表值并将其转换为可读信息。
The commercial tool, Registry Recon, collects registry data from devices or forensic images,such as EnCase image, E01, or DD [phonetic] raw image.
商业工具Registry Recon从设备或法医图像(如EnCase图像、E01图像或DD[语音]原始图像)收集注册表数据。
It provides access to registry data, both active or that has been effectively deleted,either by system activities or malicious users.
它提供对注册表数据的访问,这些数据要么是活动的,要么是被系统活动或恶意用户有效删除的。
The timelines created by Registry Recon include registry data that was active or backed upor carved out from an allocated space.
由Registry Recon创建的时间轴包括注册表数据,这些数据是活动的、备份的或从分配的空间中划分出来的。
Next, let's see how to use extra data registry viewer to analyze registry files.
接下来,让我们看看如何使用额外的数据注册表查看器来分析注册表文件。
>> Windows registry contains information about hardware, including plug and play devices,user information and preferences, application, and the network configuration.
>> Windows注册表包含有关硬件的信息,包括即插即用设备、用户信息和首选项、应用程序和网络配置。
Examine Windows registry is one of the most important step for Windows forensic analysis.
检查Windows注册表是Windows取证分析中最重要的步骤之一。
In this video, we will use Access Data Registry Viewer to lookinto three registry hives, SAM, System, and ntuser.net.
在这个视频中,我们将使用Access Data Registry Viewer来查看三个注册表蜂巢、SAM、System和ntuser.net。
We will learn how to get important evidence from registry files.
我们将学习如何从注册表文件中获取重要证据。
I encourage you to try by yourself.
我鼓励你自己试试。
We talk about five registry hive files.
我们讨论五个注册表单元文件。
So, currently, I'm using a Registry Viewer.
目前,我使用的是注册表查看器。
Now even though this is Access Data's product, they provide a demo version, demo mode.
尽管这是Access Data的产品,他们提供了一个演示版本,演示模式。
So, you currently see I do not have a download for the license.
所以,你现在看到我没有下载许可证。
So, I say I will use a demo version.
所以,我说我将使用一个演示版本。
So, no dongle found.
所以,没有找到狗狗。
Dongle means, it's the license key.
狗的意思是,它是许可密钥。
And then I'm using the demo version of Registry Viewer.
然后我使用注册表查看器的演示版本。
By the way, this is one of my favorite tool to analyze registry hives.
顺便说一下,这是我最喜欢的分析注册表荨麻疹的工具之一。
It is so easy to use.
它很容易使用。
So, I have some hive files here, I just need to dump into it, that's all.
这里有一些hive文件,我只需要把它们转储进去就行了。
Just let me move here.
让我搬到这里。
So, first let's look into the SAM file.
首先,让我们看看SAM文件。
Now, the SAM hive file contains user account information, and the logon passwordfor all users and groups on the system.
现在,SAM hive文件包含用户帐户信息,以及系统上所有用户和组的登录密码。
What kind of information can we clean from the SAM file?
我们可以从SAM文件中清除哪些信息?
Certainly, user account information, so I show you here and that it's in Domains.
当然,用户帐户信息,我在这里展示给你们,它在域中。
The reason I like this product because it automatically interprets a lotof hex data in human readable format.
我喜欢这个产品的原因是它可以自动以人类可读的格式解释很多十六进制数据。
So, if I look into Account, and User, there are a list of users here.
如果我看看Account和User,这里有一个用户列表。
So, if I click each one, so first one.
如果我点击每一个,第一个。
You look at this pane here, this is the interpretation, okay.
你看这个窗格,这就是解释。
This is the interpretation interpret from other key and the values.
这是对其他关键字和价值的诠释。
So, here are the key and the type, and the value.
这里是键,类型和值。
So, this the key name is F. Type is binary and then here is the hex value.
键名是f,类型是二进制的,这是十六进制值。
If you go back to look at slides, and I talk about how do we interpret those values.
如果你们回头看幻灯片,我讲的是我们如何解释这些值。
Now, the first one, it interprets here, so this is SID number is 500,okay and the user name is Administrator.
第一个,它在这里解释,这是SID number是500,用户名是Administrator。
But that's the mapping information we can find from here.
但这就是我们可以从这里找到的映射信息。
Because if you look into Windows, usually systems are only give you the given numbersand the strings are for human, right?
因为如果你看Windows,通常系统只给你给定的数字字符串是给人的,对吧?
Or for user.
或用户。
So, here you can tie that SID number, SID, this is actually our ID, relative ID,SID number is a long number, this is the last four digits is a relative ID.
这里你可以把SID号,SID,这实际上是我们的ID,相对ID,SID号是一个很长的数字,最后四位是相对ID。
Mapped ID to a real user name.
将ID映射到真实用户名。
If you look at another one, so this is 501 is guest, those are all built-in accounts.
如果你看另一个,501是guest,这些都是内置帐户。
And here is the first real user, it's not built-in.
这是第一个真正的用户,它不是内置的。
And the SID number is 1001, the user name is Mark.
SID号是1001,用户名是Mark。
All right.
So, this is the first information we want to get out.
这是我们想要得到的第一个信息。
And if you look at my lecture slides, and I also tell you where is the name located?
如果你看我的幻灯片,我也会告诉你名字在哪里?
Name located in the key, in the V. So, if you scroll down to the bottom,you should see, let me make it larger.
名字在键中,在v中,如果你向下滚动到底部,你会看到,我把它放大。
You should see Mark here, okay that's the name here.
你应该在这里看到马克,好吧,这就是名字。
And then if you want to, there's another piece of information is last logon.
如果你愿意,还有一条信息是最后登录。
Last logon information.
最后一次登录信息。
So, it tells you Mark last logon at this time.
因此,它告诉你标记最后一次登录。
At this time, okay.
现在,好了。
Last password time change also stored here.
上次密码时间更改也存储在这里。
But especially the last logon time is so important.
但尤其是最后一次登录时间是如此重要。
Because I have so many accounts and which account should I focus.
因为我有很多账户,我应该关注哪个账户。
I look at the incident time and I look at the people who loggedon during that incident period of time.
我看事件发生的时间我看事件发生期间登录的人。
Like, for example, Guest built-in and never logged on, so I can ignore that account.
例如,客户端内置但从未登录,因此我可以忽略该帐户。
And I can look at this account, when is the last logon.
我可以看看这个账户,最后一次登录是什么时候。
So, the last logon information is so important.
所以,最后一次登录信息非常重要。
Okay. Where does the registry view get this information?
好吧。注册表视图从哪里获得这些信息?
And I talk about it in the slides as well, during the lecture.
我在幻灯片中也讲过,在讲座中。
I said this information is in F. If you look at, start from the ninth byteat the nine's place until sixteen.
我说过这个信息在f中,如果你看,从9位的第9字节开始直到16。
So, this is byte 9, 10, 11, until 16.
这是字节9 10 11,直到16。
And those are the time actually, the time stamps.
这些就是时间,时间戳。
So, if you right click, say show Hex Interpreter.
如果你右键点击,显示十六进制解释器。
It will show you here are the times.
它会告诉你这些时间。
This is where this software got from; 4:40:56.
这就是这个软件的来源;4:40:56。
So, this is interpret this Hex code.
这是解释这个十六进制代码。
By the way you have to read really precisely to tell what are the bytes.
顺便说一下,你必须非常精确地读才能知道这些字节是什么。
Because if I say I have made a mistake with one byte short, if you want,say I want to interpret, you wouldn't see anything, because it's not meaningfulfor the Hex Interpreter to interpret that.
因为如果我说我犯了一个短一个字节的错误,如果你想,比如说我想解释,你看不到任何东西,因为十六进制的解释器解释那个是没有意义的。
So, that's why you have to know exactly how many bytesand where is the position to interpret that.
所以,这就是为什么你必须确切地知道有多少字节,以及在哪里可以解释它。
All right, so from here we know the mapping between the user and the ID,the SID number and then the user name.
从这里我们知道了用户和ID之间的映射,SID号和用户名之间的映射。
And also, very importantly, the last logon time.
而且,非常重要的是,最后一次登录时间。
So, registry view very, very nicely to interpret the key and the value information in this pane.
注册表视图很好地解释了这个窗格中的键和值信息。
That's why I really, really like this tool.
这就是为什么我非常非常喜欢这个工具。
So, this is the SAM, and even though it include other information,but I leave the other stuff up to you to explore.
这就是SAM,尽管它包含了其他信息,但是我把其他内容留给您去探索。
And then let's move onto the next file.
然后我们进入下一个文件。
Let's look into SAM, we have looked at the SAM file, let's look at the System file.
让我们看看SAM,我们已经看过了SAM文件,让我们看看系统文件。
So, we just dump into that and they say, are you sure you want to close the original file, SAM?
我们把它倒进去然后他们问,你确定要关闭原始文件吗,SAM?
And I say yes.
Okay, now so we see the System file now.
现在我们看到了系统文件。
What is the System registry hive contains?
系统注册表单元包含什么?
So, System Registry Hives stores the computer name, device drivers, system configurationand setup information, including the time zone information and other.
因此,系统注册表蜂房存储计算机名称、设备驱动程序、系统配置和设置信息,包括时区信息等。
So, let's look into a couple of features from this system hive file.
因此,让我们研究一下这个系统hive文件中的一些特性。
Now, if you look at this list and you first thing you need,so in this case I only have a ControlSet001, but most cases you will see ControlSet001,ControlSet002, there's multiple different control settings.
现在,如果你看这个列表你首先需要的是,在这个例子中我只有一个ControlSet001,但是大多数情况下你会看到ControlSet001 ControlSet002,有很多不同的控件设置。
I don't know which one the system is in use right now,because if the system you're using ContorlSet001,we should look into ControlSet001.
我不知道现在系统在用哪个,因为如果你用的是ContorlSet001,我们应该去找ControlSet001。
So, this one you can first, you try to look into select.
你可以先看看select。
And it tells you first the Current, in this case certainly only one.
它首先告诉你电流,在这种情况下当然只有一个。
It says Current is 001, sometimes by default is 002 is the last,that also tell you the last known good one, which version is that?
它说电流是001,有时默认是002是最后一个,这也告诉你最后一个已知的好版本,是哪个版本?
Okay. So, we find out okay currently this is user ControlSet001 from this image.
好吧。我们发现这是用户ControlSet001。
So, now if I analyze, analyze system hive and I need to analyze ControlSet001.
现在,如果我分析系统hive,我需要分析ControlSet001。
Okay. So, if you look into that, what kind of information we can find.
好吧。所以,如果你深入研究,我们能找到什么样的信息。
So, we get into many other things, I only show you a couple of important things as example.
我们会讲到很多其他东西,我只举几个重要的例子。
So, into, I mean going down you can see the computer's name.
进入,我的意思是往下你可以看到电脑的名字。
So, here again the ComputerName is the string type.
这里,ComputerName还是字符串类型。
And this is the ComputerName.
这是计算机名。
And then what other information we can find?
然后我们还能找到什么信息?
Again, there are a lot, but I just pick up some interesting information to look into that.
同样,有很多,但我只是挑了一些有趣的信息来研究它。
All right time zone information, this is very, very important.
好的,时区信息,这非常非常重要。
I emphasized in the lecture that when we analyze a case, the first thing we need to setup our forensics machine to read the same time zone as the suspected image.
我在课上强调过,当我们分析一个案例时,首先我们需要建立我们的取证机器来读取与可疑图像相同的时区。
The image we created, right?
我们创造的形象,对吧?
Because we have to have a consistent timeline.
因为我们必须有一个一致的时间表。
Otherwise, those times are obscured and then the evidence is not interpret, right.
否则,这些时代就会变得模糊,证据就不会被解释。
So, in this, in here, we look into the time zone, this is eastern standard time.
在这里,我们看时区,这是东部标准时间。
So, in that sense now first thing when we create a case actuallywhen you later practice those gooey based events forensics analysis tools, the first step,you cannot even skip, it was select the time zone.
所以,从这个意义上说,当我们创建一个案例的时候首先当你以后练习那些基于粘稠的事件取证分析工具的时候,第一步,你甚至不能跳过,那就是选择时区。
So, here is the information.
这是信息。
How do you get?
你是怎么得到的?
Say, how do I know this image what time zone that image was set, right?
比如说,我怎么知道这个图像这个图像是哪个时区设定的?
So, you can find from here, okay.
你可以从这里找到。
Now, the other information for example, let's see, MountedDevices, that's also very important.Those are the devices that you mounted.
现在,另一个信息,例如,让我们看看,装载的设备,这也是非常重要的。这些是你安装的设备。
So, that means you can identify information and see even mounted on which drive, which letter;A or D. So, you know the image when taken,actually those are the previously mounted network mount or other mounted devices.
这意味着你可以识别信息,甚至可以看到哪个驱动器,哪个字母,A或d,所以,当你拍摄图像时,你知道,实际上那些是之前安装的网络安装或其他安装的设备。
So, that's also very important piece.
这也是很重要的一点。
And then, another thing I want to talk about that is a USB plug-ins.
然后,我想说的另一件事是USB插件。
So, let's say we found this count image, we cannot find crucial evidence to support.
所以,假设我们找到了这个计数图像,我们无法找到关键的证据来支持。
So, you wondering, maybe some information is missing, okay,maybe I did not even find that information.
你可能想知道,也许有些信息丢失了,好吧,也许我甚至没有找到那个信息。
And USB, okay USB is portable and then the suspect can plug into the machine,do something only on USB and then remove the USB, that's it,does not leave evidence onto the system, all right.
USB,好的,USB是可移植的然后嫌疑人可以插入机器,只在USB上做一些事情然后删除USB,就是这样,不把证据留在系统上。
So, now nice enough registry recorded the information of what typeof USB it was plugged in and at what time.
所以,现在很好的注册表记录了什么类型的USB它是在什么时候被插入的信息。
So, this information resides in if you go into Enum and then USBSTOR.
如果你进入Enum,然后进入USBSTOR,这个信息就会存在。
USBSTOR. So, in this case, I have two USB's here just plugged into that.
USBSTOR。在这个例子中,我有两个USB连接到这里。
So, it's currently says to me that you don't have the USB plugged into it.
所以,它现在对我说,你没有插入USB。
So, if I look at the first one, okay, so it tells you what type of USB, so this is that typeof friendly name, it recognizes type of USB.
如果我看第一个,它告诉你什么类型的USB,这是一种友好的名字,它能识别USB类型。
And if we would look at the second one, so this is SanDisk Cruzer Blade USB Device.So, it tells you what type of USB device it was plugged.
如果我们看第二个,这是SanDisk Cruzer刀片USB设备。它会告诉你它是什么类型的USB设备。
In. Now, the timeline, interestingly you can find out in the property.
在。现在,时间轴,有趣的是你可以在属性中找到。
Now, I did not talk about it in detail, I just said you can find, since Widows 8 you can findout plug-in information, the last insertion and the last removal.
现在,我没有详细讨论它,我只是说你可以找到,因为寡妇8你可以找到插件信息,最后插入和最后删除。
But I not talk about detail in lecture, because I have to show demo.
但我不会在课上讲细节,因为我要展示demo。
So, if you look into the property and you look for property number 066 and 67,you can look through other stuff it's not there, not there, right?
所以,如果你查看属性你可以查看属性号066和67,你可以查看其他的东西它不在那里,不在那里,对吧?
So, it's always in the 66 and 67.
所以总是在66和67年。
If we look at 66, certainly the excess registry viewer already interpret that for you.
如果我们查看66,当然多余的注册表查看器已经为您解释了这一点。
This talk about there's a Hex value.
这里有一个十六进制值。
This Hex value it is time, it is a time you can highlight and interpret that.
这个十六进制的值是时间,是你可以强调和解释的时间。
Okay, it's a time.
好了,时间到了。
So, this time is the last time this USB plug-into the machine.
所以,这是最后一次这个USB插件-进入机器。
Last time, and then 0067 is the last time this USB unplugged it from the machine.
上次,0067是最后一次USB从机器上拔下。
Now, those two information if that information lineup with the incident time you are investigating, you can request,all right you certainly should request for this USB,because there's insertion time and then deletion time.
现在,那两个信息如果那个信息符合你正在调查的事件时间,你可以请求,你当然应该请求这个USB,因为有插入时间和删除时间。
And you can even identify because you can even identify the unique ID of this USBand I will not go through this detail, but at least 66and 67 that's the last time this is inserted.
你甚至可以识别因为你甚至可以识别这个USB的唯一ID我不会细讲这个细节,但至少66和67这是最后一次插入这个。
This is the last time this USB is removed.
这是最后一次这个USB被删除。
And I think some location 64, 65 basically talk about this is the first time this USB pluggedin on that, but it looks like this is the first time and the last time is the same,so this USB only plugged into once.
我想在64号,65号的位置上说这是这个USB第一次插入,但是看起来这是第一次,最后一次是一样的,所以这个USB只插入一次。
All right so this information is crucial information to analyze for each one,if this images is from Windows 8 and later.
这些信息对于每个人来说都是非常重要的信息,如果这些图像来自Windows 8或更高版本。
Okay, in early version of Windows, they do have the plug-in information,but do not record a time, like in this first USB you can also find there's a 66 and a 67, okay.
好的,在早期版本的Windows中,他们确实有插件信息,但是不记录时间,就像在第一个USB中,你也可以找到66和67,好的。
So, this one is plugged in, when this is removed.
所以,当这个被移除时,这个被插入。
So, okay that's very important information.
这是非常重要的信息。
So, then I will stop here and then let's look at the next one.
那么,我就讲到这里,然后我们来看下一个。
So, basically I just want to show you some key componentsand then you can play by yourself for fun.
所以,基本上我只是想给你们看一些关键的组成部分,然后你们就可以自己玩了。
So, here is I recorded a Marks NTUSER.DAT Now, what is NTUSER.DAT?
所以,这是我录制的一个标记NTUSER。现在,什么是NTUSER.DAT?
If you believe Mark is the one logged into that based on send the information,now you want to look into Mark's NTUSER.DAT.
如果您相信Mark是根据send信息登录的,那么现在您需要查看Mark的NTUSER.DAT。
Because this NTUSER.DAT is specifically for Mark.
因为这NTUSER。DAT是专门为Mark设计的。
That stores Mark's specific information.
它存储了Mark的特定信息。
Such as what file he has recently run or saved, and which URL he has typed and all sortsof that information It reside very richly in stored in this registry file.
例如,他最近运行或保存了什么文件,输入了哪个URL,以及存储在这个注册表文件中的各种信息。
Now, another feature I want to show you is find.
现在,我要展示的另一个特性是find。
The find feature.
发现功能。
There are lots of features to go explore by yourself.
有很多特性可以自己去探索。
But there's a find feature.
但是有一个查找功能。
Because unless you know what is the key name, and then which path to go, right?
因为除非你知道键名是什么,然后知道要走哪条路径,对吧?
Because in the preview case it's not deeply embedded, that's why I'm goingthrough the route and I'm going down.
因为在预览的例子中,它并没有深入到内部,这就是为什么我要遍历路径,然后往下走。
But for example, I want to find out the key value is the TypedURLs.
但例如,我想知道键值是类型durls。
And I think the NTUSER.DAT is such a busy, busy hive file and containsso much information I don't want to go through each tree to find.
我认为是NTUSER。DAT是一个非常繁忙的hive文件,包含了很多信息,我不想遍历每棵树来查找。
Again, the reference file I give you from Access Data, they do give you the tree path.
同样,我从Access数据中给你的参考文件,它们确实给了你树路径。
So, if you like you can follow the tree, but here I just want to show you another feature,it's a find feature, it's very useful so you want to search this, actually this is a key,but here I say I want to search this key value and the data all I wantto search all those things, but actually this is key,even though you just leave that on no problem.
所以,如果你喜欢你可以遵循这棵树,但是我只是想告诉你另一个特点,这是一个发现的功能,这是非常有用的所以你要搜索,实际上这是一个关键的,但是在这里,我说我想搜索这个键值和数据我想搜索所有这些东西,但实际上这是关键,即使你只是离开,没有问题。
If you spelled right, okay you have to spell right, and it will able to find.
如果你拼写正确,你必须拼写正确,它就能找到。
So, let's look at how deep into the tree, right?
我们看看树有多深,对吧?
So you can this typed URL.
你可以输入URL。
What is that?
那是什么?
And this is the URL you visited, not you the image, the person, in this case is Mark.
这是你访问的URL,而不是你的图片,这里的人是马克。
Mark visit URL1, that's the most recent one, the URL2 is the next one.
Mark visit URL1,这是最近的一个,URL2是下一个。
The previous than URL1.
前一个URL1。
So, those are URLs.
这些是url。
And sometimes if the URLs requires a password to getinto that you also have this information stored in registry,but certainly you have to decrypt the password.
有时url需要密码,注册表中也会存储这些信息,但需要解密密码。
Okay. Now what are the times this URL was visited?
好吧。这个URL被访问的次数是多少?
Nicely Registry View already interpreted that for you.
很好,注册表视图已经为你解释过了。
So, this is the last, this is for the URL and when is the time, So,if you look into URL1 that's the time accessed to URL1 and this is URL2.
这是最后一个,这是URL的时间,如果你看URL1这是URL1的访问时间,这是URL2。
So, here is the TypedURLs and here is the TypedURL times.
这是TypedURL时间,这是TypedURL时间。
There are lots of more information.
还有更多的信息。
Another one is recent doc.
另一个是最近的doc。
See, I want to show you but it's crashed in this demo version.
看,我想给你们看但是在这个演示版本中崩溃了。
So, I'm just not able to.
所以,我不能。
I do have a licensed version, I want to try over there whenever I get chance.
我有一个授权版本,我想一有机会就去那里试试。
But, for this demo version it crashed.
但是,在这个演示版本中它崩溃了。
Want to show you is the recent doc, recently what files you accessed.
要显示给你的是最近的文档,最近你访问了哪些文件。
Okay, and it categorized to numbers.
它被分类为数字。
Each number is a folder, and that folder separate to different extensions.
每个数字都是一个文件夹,该文件夹独立于不同的扩展名。
Like .doc is in one place, .txt is in one place, and then list all the .docsin one folder with most recently run in front.
比如。doc在一个地方,。txt在一个地方,然后列出所有。docs在一个文件夹中,最近运行在前面。
So, it's interesting, see but again, I'm not able to show you in this Registry View.
这很有趣,但我还是无法在注册表视图中显示。
How do you practice by yourself when to learn registry files?
你如何自己练习什么时候学习注册表文件?
You can export those registry files from FTK Imager.
您可以从FTK Imager导出这些注册表文件。
Okay, any image, if you have Windows running and then you just view the imageand then export those registry hives you can find that in the driver and then export.
好的,任何图像,如果你有Windows运行然后你只需要查看图像然后导出那些注册表蜂箱你可以在驱动中找到然后导出。
Once you export and definitely you can use this Access Data Registry Viewer.
导出后,当然可以使用这个Access Data Registry查看器。
Unfortunately, today I'm not supported in Access Data Website anymore.
不幸的是,今天我不再支持访问数据网站。
So, I don't have a very secure locations for you to download.
所以,我没有一个很安全的地方供你下载。
But if you search Registry View Demo Version, and a free version, and you still can download.
但如果你搜索注册表视图的演示版本,和一个免费的版本,你仍然可以下载。
And I will show you the MD5 SHA-1, so make sure once you download and then make sure the MD5or SHA-1 match and you still can use that.
我将向你们展示MD5 SHA-1,确保下载后MD5或SHA-1匹配,你们仍然可以使用。
So, in here I did only use the demo version.
这里我只使用了演示版本。
Oh, I see, I see why it's crashed.
哦,我明白了,我明白它为什么坏了。
And now I got it.
现在我明白了。
Because the Demo Version only supports for fewer number like 5000 files or less.
因为演示版本只支持更少的数字,比如5000个或更少的文件。
And then, when I click into the recent doc, it has too many, yeah, more than 5, it must,the image has past that limit, that's why it's crashed, yeah.
然后,当我点击最近的文档,它有太多,是的,超过5个,它必须,图像已经超过了这个限制,这就是为什么它崩溃了,是的。
But, you can also try other tools.
但是,您也可以尝试其他工具。
For example, one is called a registry explore by Eric Zimmerman.
例如,埃里克·齐默尔曼(Eric Zimmerman)的一个注册表探索。
Now, those are free tools, so I'm very hesitant to tell youto use it or not, it's on your own risk.
现在,这些都是免费的工具,所以我很犹豫是否告诉你使用它,这是你自己的风险。
Once again, I really don't know about those free tools whether they have something installed,or what do they have for you or not, so I cannot guarantee those things,but there are free tools there.
再说一次,我真的不知道那些免费的工具是否已经安装了一些东西,或者它们为你提供了什么,所以我不能保证这些东西,但是那里有免费的工具。
If you look at the Helix CD under incident response,actually they also have Registry Viewer,that allow you to view the current registry keys and values.
如果您查看事件响应下的Helix CD,实际上它们还有注册表查看器,允许您查看当前注册表键和值。
So, there are a couple of free ones to use,but once again the Access Data's Registry Viewer is my favorite, because it's not only lookinto the keys values, for lots of other tools, it just let you to lookat the key and the values and interpret.
这里有一些免费的,但Access Data的注册表查看器是我最喜欢的,因为它不仅能查看键值,对于很多其他工具,它还能让你查看键值并进行解释。
You have to interpret.
你必须解释。
Okay? By the way if you do not have Access Data Registry Viewer, how do you interpret Hex Datato ASCII, there's one free program called DCODE, d-c-o-d-e, DCODE.
好吧?顺便说一下,如果没有Access Data Registry Viewer,如何将十六进制数据解释为ASCII,有一个免费程序叫DCODE, d-c-o-d-e, DCODE。
That one, once you input Hex, it will interpret if this is a timestamp,or that information, it will interpret that for you.
这个,一旦你输入十六进制,它会解释如果这是一个时间戳,或者那个信息,它会为你解释那个。
So, that's also for free.
这也是免费的。
All right.
So, I think I will stop here, and I just only touched a little bit,but hopefully this examination, demonstration will lead youto explore more for registry files.
所以,我想我就讲到这里,我只是稍微碰了一下,但希望这次考试,演示能引导你们探索更多注册表文件。
And I cannot emphasize more for the importance of the registry, because sometimes,70 or 80% of evidence glean from registry files.
我再怎么强调注册表的重要性也不为过,因为有时,70%或80%的证据是从注册表文件中收集的。
That's no surprise, because Windows put everything into registry.
这并不奇怪,因为Windows把所有东西都放到了注册表中。
All right so that's it and hopefully you'll enjoy it.
好了,就这些了希望你们会喜欢。
And then, another thing I want to talk about that is a USB plug-ins.
然后,我想说的另一件事是USB插件。
So, let's say we found this count image, we cannot find crucial evidence to support.
所以,假设我们找到了这个计数图像,我们无法找到关键的证据来支持。
So, you wondering, maybe some information is missing, okay,maybe I did not even find that information.
所以,你想知道,也许有些信息丢失了,好吧,也许我甚至没有找到那个信息。
And USB, okay USB is portable and then the suspect can plug into the machine,do something only on USB and then remove the USB, that's it,does not leave evidence onto the system, all right.
USB,好的,USB是可移植的然后嫌疑人可以插入机器,只在USB上做一些事情然后删除USB,就是这样,不把证据留在系统上。
So, now nice enough registry recorded the information of what typeof USB it was plugged in and at what time.
所以,现在很好的注册表记录了什么类型的USB它是在什么时候被插入的信息。
So, this information resides in if you go into Enum and then USBSTOR.
如果你进入Enum,然后进入USBSTOR,这个信息就会存在。
USBSTOR. So, in this case, I have two USB's here just plugged into that.
USBSTOR。在这种情况下,我有两个USB在这里插入。
So, it's currently says to me that you don't have the USB plugged into it.
所以,它现在对我说,你没有插入USB。
So, if I look at the first one, okay, so it tells you what type of USB, so this is that typeof friendly name, it recognizes type of USB.
如果我看第一个,它告诉你什么类型的USB,这是一种友好的名字,它能识别USB类型。
And if we would look at the second one, so this is SanDisk Cruzer Blade USB Device.So, it tells you what type of USB device it was plugged.
如果我们看看第二个,这是SanDisk Cruzer刀片USB设备。它会告诉你它是什么类型的USB设备。
In. Now, the timeline, interestingly you can find out in the property.
在。现在,时间轴,有趣的是你可以在属性中找到。
Now, I did not talk about it in detail, I just said you can find, since Widows 8 you can findout plug-in information, the last insertion and the last removal.
现在,我没有详细讨论它,我只是说你可以找到,因为寡妇8你可以找到插件信息,最后插入和最后删除。
But I not talk about detail in lecture, because I have to show demo.
但我不会在课上讲细节,因为我要展示demo。
So, if you look into the property and you look for property number 066 and 67,you can look through other stuff it's not there, not there, right?
所以,如果你看一下这个性质你看一下性质066和67,你可以看一下其他的东西它不在这里,不在那里,对吧?
So, it's always in the 66 and 67.
所以总是在66和67年。
If we look at 66, certainly the excess registry viewer already interpret that for you.
如果我们查看66,当然多余的注册表查看器已经为您解释了这一点。
This talk about there's a Hex value.
这里有一个十六进制值。
This Hex value it is time, it is a time you can highlight and interpret that.
这个十六进制的值是时间,是你可以强调和解释的时间。
Okay, it's a time.
So, this time is the last time this USB plug-into the machine.
所以,这是最后一次这个USB插件-进入机器。
Last time, and then 0067 is the last time this USB unplugged it from the machine.
上次,0067是最后一次USB从机器上拔下。
Now, those two information if that information lineup with the incident time you are investigating, you can request,all right you certainly should request for this USB,because there's insertion time and then deletion time.
现在,那两个信息如果那个信息符合你正在调查的事件时间,你可以请求,你当然应该请求这个USB,因为有插入时间和删除时间。
And you can even identify because you can even identify the unique ID of this USBand I will not go through this detail, but at least 66and 67 that's the last time this is inserted.
你甚至可以识别因为你甚至可以识别这个USB的唯一ID我不会详细讲,但至少66和67是最后一次插入。
This is the last time this USB is removed.
这是最后一次这个USB被删除。
And I think some location 64, 65 basically talk about this is the first time this USB pluggedin on that, but it looks like this is the first time and the last time is the same,so this USB only plugged into once.
我想在64号,65号的位置上说这是这个USB第一次插入,但是看起来这是第一次,最后一次是一样的,所以这个USB只插入一次。
All right so this information is crucial information to analyze for each one,if this images is from Windows 8 and later.
这些信息对于每个人来说都是非常重要的信息,如果这些图像来自Windows 8或更高版本。
Okay, in early version of Windows, they do have the plug-in information,but do not record a time, like in this first USB you can also find there's a 66 and a 67, okay.
好的,在早期版本的Windows中,他们确实有插件信息,但是不记录时间,就像在第一个USB中,你也可以找到66和67,好的。
So, this one is plugged in, when this is removed.
所以,这个是插入的,当这个被移除的时候。
So, okay that's very important information.
这是非常重要的信息。
So, then I will stop here and then let's look at the next one.
那么,我就讲到这里,然后我们来看下一个。
So, basically I just want to show you some key componentsand then you can play by yourself for fun.
所以,基本上我只是想给你们看一些关键的组成部分,然后你们就可以自己玩了。
So, here is I recorded a Marks NTUSER.DAT Now, what is NTUSER.DAT?
这是我记录的一个标记NTUSER。现在,什么是NTUSER.DAT?
If you believe Mark is the one logged into that based on send the information,now you want to look into Mark's NTUSER.DAT.
如果您相信Mark是根据send信息登录的,那么现在您需要查看Mark的NTUSER.DAT。
Because this NTUSER.DAT is specifically for Mark.
因为这NTUSER。DAT是专门为Mark设计的。
That stores Mark's specific information.
它存储了马克的具体信息。
Such as what file he has recently run or saved, and which URL he has typed and all sortsof that information It reside very richly in stored in this registry file.
例如,他最近运行或保存了什么文件,输入了哪个URL,以及存储在这个注册表文件中的各种信息。
Now, another feature I want to show you is find.
现在,我想向您展示的另一个特性是find。
The find feature.
发现功能。
There are lots of features to go explore by yourself.
有许多特性需要您自己去探索。
But there's a find feature.
但是有一个查找功能。
Because unless you know what is the key name, and then which path to go, right?
因为除非你知道键名是什么,然后知道要走哪条路径,对吧?
Because in the preview case it's not deeply embedded, that's why I'm goingthrough the route and I'm going down.
因为在预览的例子中,它不是很深的嵌套,这就是为什么我要沿着路径向下走。
But for example, I want to find out the key value is the TypedURLs.
但例如,我想知道键值是类型durls。
And I think the NTUSER.DAT is such a busy, busy hive file and containsso much information I don't want to go through each tree to find.
我认为是NTUSER。DAT是一个非常繁忙的hive文件,包含了很多信息,我不想遍历每棵树来查找。
Again, the reference file I give you from Access Data, they do give you the tree path.
同样,我从Access Data给你的参考文件,它们确实给了你树路径。
So, if you like you can follow the tree, but here I just want to show you another feature,it's a find feature, it's very useful so you want to search this, actually this is a key,but here I say I want to search this key value and the data all I wantto search all those things, but actually this is key,even though you just leave that on no problem.
所以,如果你喜欢你可以遵循这棵树,但是我只是想告诉你另一个特点,这是一个发现的功能,这是非常有用的所以你要搜索,实际上这是一个关键的,但是在这里,我说我想搜索这个键值和数据我想搜索所有这些东西,但实际上这是关键,即使你只是离开,没有问题。
If you spelled right, okay you have to spell right, and it will able to find.
如果你拼写正确,你必须拼写正确,它就能找到。
So, let's look at how deep into the tree, right?
我们看看树有多深,对吧?
So you can this typed URL.
你可以键入URL。
What is that?
那是什么?
And this is the URL you visited, not you the image, the person, in this case is Mark.
这是你访问的URL,不是你图像,这个人,在这里是Mark。
Mark visit URL1, that's the most recent one, the URL2 is the next one.
Mark访问URL1,这是最近的一个,URL2是下一个。
The previous than URL1.
前一个URL1。
So, those are URLs.
这些是url。
And sometimes if the URLs requires a password to getinto that you also have this information stored in registry,but certainly you have to decrypt the password.
有时url需要密码,注册表中也会存储这些信息,但需要解密密码。
Okay. Now what are the times this URL was visited?
好吧。这个URL被访问的次数是多少?
Nicely Registry View already interpreted that for you.
很好,注册表视图已经为你解释过了。
So, this is the last, this is for the URL and when is the time, So,if you look into URL1 that's the time accessed to URL1 and this is URL2.
这是最后一个,这是URL,时间是什么时候,如果你看URL1这是访问URL1的时间,这是URL2。
So, here is the TypedURLs and here is the TypedURL times.
这是类型durl这是类型durl乘以。
There are lots of more information.
还有更多的信息。
Another one is recent doc.
另一个是最近的doc。
See, I want to show you but it's crashed in this demo version.
看,我想给你们看但是在这个演示版本中崩溃了。
So, I'm just not able to.
所以,我不能。
I do have a licensed version, I want to try over there whenever I get chance.
我有一个授权版本,我想一有机会就去那里试试。
But, for this demo version it crashed.
但是,对于这个演示版本,它崩溃了。
Want to show you is the recent doc, recently what files you accessed.
想给你展示的是最近的文档,最近你访问了哪些文件。
Okay, and it categorized to numbers.
好了,按数字分类。
Each number is a folder, and that folder separate to different extensions.
每个数字都是一个文件夹,该文件夹与不同的扩展名分开。
Like .doc is in one place, .txt is in one place, and then list all the .docsin one folder with most recently run in front.
比如.doc在一个地方,.txt在一个地方,然后在一个文件夹中列出所有最近运行的.docs。
So, it's interesting, see but again, I'm not able to show you in this Registry View.How do you practice by yourself when to learn registry files?
这很有趣,但我还是无法在注册表视图中显示。你如何自己练习什么时候学习注册表文件?
You can export those registry files from FTK Imager.
您可以从FTK Imager导出这些注册表文件。
Okay, any image, if you have Windows running and then you just view the imageand then export those registry hives you can find that in the driver and then export.
好的,任何图像,如果你有Windows运行然后你只需要查看图像然后导出那些注册表蜂箱你可以在驱动中找到然后导出。
Once you export and definitely you can use this Access Data Registry Viewer.
导出之后,您就可以使用这个Access Data Registry查看器了。
Unfortunately, today I'm not supported in Access Data Website anymore.
不幸的是,现在Access Data网站已经不支持我了。
So, I don't have a very secure locations for you to download.
所以,我没有一个很安全的地方供你下载。
But if you search Registry View Demo Version, and a free version, and you still can download.
但如果你搜索注册表视图的演示版本,和一个免费的版本,你仍然可以下载。
And I will show you the MD5 SHA-1, so make sure once you download and then make sure the MD5or SHA-1 match and you still can use that.
我将向你们展示MD5 SHA-1,确保下载后MD5或SHA-1匹配,你们仍然可以使用。
So, in here I did only use the demo version.
这里我只使用了demo版。
Oh, I see, I see why it's crashed.
哦,我明白了,我明白它为什么坏了。
And now I got it.
现在我明白了。
Because the Demo Version only supports for fewer number like 5000 files or less.
因为演示版本只支持更少的数字,比如5000个或更少的文件。
And then, when I click into the recent doc, it has too many, yeah, more than 5, it must,the image has past that limit, that's why it's crashed, yeah.
然后,当我点击最近的文档,它有太多,是的,超过5个,它必须,图像已经超过了这个限制,这就是为什么它崩溃了,是的。
But, you can also try other tools.
但是,您也可以尝试其他工具。
For example, one is called a registry explore by Eric Zimmerman.
例如,埃里克·齐默尔曼(Eric Zimmerman)的一个注册表探索。
Now, those are free tools, so I'm very hesitant to tell youto use it or not, it's on your own risk.
现在,这些都是免费的工具,所以我很犹豫是否告诉你使用它,这是你自己的风险。
Once again, I really don't know about those free tools whether they have something installed,or what do they have for you or not, so I cannot guarantee those things,but there are free tools there.
再说一次,我真的不知道那些免费的工具是否已经安装了一些东西,或者它们为你提供了什么,所以我不能保证这些东西,但是那里有免费的工具。
If you look at the Helix CD under incident response,actually they also have Registry Viewer,that allow you to view the current registry keys and values.
如果您查看事件响应下的Helix CD,实际上它们也有注册表查看器,允许您查看当前注册表项和值。
So, there are a couple of free ones to use,but once again the Access Data's Registry Viewer is my favorite, because it's not only lookinto the keys values, for lots of other tools, it just let you to lookat the key and the values and interpret.
有一些免费的工具可以使用,但是访问数据的注册表查看器是我最喜欢的,因为它不仅仅是查看键值,对于很多其他工具,它只是让你查看键和值并解释。
You have to interpret.
你必须解释。
Okay? By the way if you do not have Access Data Registry Viewer, how do you interpret Hex Datato ASCII, there's one free program called DCODE, d-c-o-d-e, DCODE.
好吧?顺便说一下,如果你没有访问数据注册表查看器,你如何将十六进制数据解释为ASCII,有一个免费的程序叫DCODE, d-c-o-d-e, DCODE。
That one, once you input Hex, it will interpret if this is a timestamp,or that information, it will interpret that for you.
这个,一旦你输入十六进制,它会解释如果这是一个时间戳,或者那个信息,它会为你解释那个。
So, that's also for free.
这也是免费的。
All right.
So, I think I will stop here, and I just only touched a little bit,but hopefully this examination, demonstration will lead youto explore more for registry files.
我想我就讲到这里,我只稍微讲了一点,但希望这次的检查,演示能让你们对注册表文件有更多的了解。
And I cannot emphasize more for the importance of the registry, because sometimes,70 or 80% of evidence glean from registry files.
我不能再强调注册表的重要性了,因为有时候,70%或80%的证据是从注册表文件中收集的。
That's no surprise, because Windows put everything into registry.
这并不奇怪,因为Windows把所有东西都放到了注册表中。
All right so that's it and hopefully you'll enjoy it.
好了,就这些了希望你们会喜欢。
转载于:https://www.cnblogs.com/sec875/articles/10015695.html
相关资源:JAVA上百实例源码以及开源项目