I am not an expert. I have never claimed to be an expert at anything
(at least not seriously done so), least of all an expert in forensic
analysis. I am not an expert in Windows Registry analysis. I am
simply, by profession, a responder and analyst with some work
and research experience in this area. I have also performed a
number of analysis engagements, in which information found
as part of Registry analysis has played a rather significant role. In
one such engagement, Registry analysis allowed me to provide
a compelling argument to demonstrate that files known to contain
credit card data had been neither found nor accessed by an
intruder, thereby reducing the subsequent costs (with respect to
notification and fines) to the customer. I have assisted with providing
information to demonstrate that certain user accounts
had been used to access certain files. More importantly, I have
worked through the process of sharing what I have seen with others,
by writing this book and sharing what I’ve observed from a
practitioner’s perspective. I am not an expert.
When I sat down to write this book, I did so because even in
the year 2010, I am amazed at the number of analysts with whom
I speak that have no apparent idea of the forensic value of the
Windows Registry. Sometimes, when I talk to someone about
demonstrating that a user account was used to view files, I get a
blank stare. Or after talking about tracking USB devices across
systems and no one asks any questions, I get approached by a
dozen of the folks from the presentation, between the podium
and my exit. It seems that, in many instances, the “abandon
hope, all ye who enter here” warning that Microsoft displays on
its knowledge base articles regarding the Registry really do a good
job . . . of keeping the good guys out, as well as from “digging”
or investigating. Sadly, there’s nothing in that admonition that
states, “oh, yeah . . . the bad guys are all up in yer Registry!” As
a result, many analysts are consistently behind the power curve,
learning from the bad guys the new uses for the Registry (persistence,
data and executable storage, and so on), often months
after they have been established and used.
