ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows 7" and "Cyber Threat Intelligence"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(NTUSER Registry)
 
 
Line 1: Line 1:
 +
{{expand}}
  
 +
Note that the term cyber is arguable misused [http://en.wikipedia.org/wiki/Internet-related_prefixes] and in this context "Cyber Threat Intelligence" should be considered "Digital Threat Intelligence", "Internet Threat Intelligence" or equivalent.
  
== File Structure ==  
+
== Standards ==
File systems are covered separately.
+
* IODEF
 +
* OpenIOC
 +
* Stix/Cybox
  
== SSD ==
+
=== IODEF ===
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:  
+
=== OpenIOC ===
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
Cons:
 +
* Very Mandiant product centric standard
  
+
=== Stix/Cybox ===
  
 +
== External Links ==
 +
* [http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx Driving a Collectively Stronger Security Community with Microsoft Interflow], by Jerry Bryant, June 23, 2014
  
== Jump Lists ==
+
=== IODEF ===
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
* [http://tools.ietf.org/html/rfc5070 RFC 5070 - The Incident Object Description Exchange Format]
  
== Registry ==  
+
=== OpenIOC ===
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
* [http://www.openioc.org/ The OpenIOC framework]
  
=== Known Registry keys of forensic interest ===
+
=== Stix/Cybox ===
 +
* [http://cybox.mitre.org/ Cyber Observable eXpression]
 +
* [https://stix.mitre.org/ Structured Threat Information eXpression]
  
====SAM Registry====
+
== Tools ==
*SAM\SAM\Domains\Account\Users
+
* [[Mantis]]
*SAM\Domains\Builtin\Aliases
+
 
+
 
+
====Security Registry====
+
 
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
+
*Security\Policy\PolAdtEv
+
*Security\Policy\Secrets
+
 
+
====NTUSER Registry====
+
*NTUSER\Control Panel\Desktop
+
*NTUSER\Control Panel\don\
+
*NTUSER\Environment
+
*NTUSER\Network
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
+
*NTUSER\Software\Ahead
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
+
*NTUSER\Software\Ares
+
*NTUSER\Software\bindshell.net\Odysseus
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
+
*NTUSER\Software\Cain\Settings
+
*NTUSER\Software\DECAFme
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
+
*NTUSER\Software\Google\NavClient\1.1\History
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
+
*NTUSER\Software\JavaSoft\Prefs\haven
+
*NTUSER\Software\Microsoft
+
*NTUSER\Software\Microsoft\Command Processor
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
+
*NTUSER\Software\Microsoft\PIMSRV
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\User Location Service\Client
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
+
*NTUSER\Software\Microsoft\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
+
*NTUSER\Software\Nico Mak Computing\WinZip
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\Piriform\CCleaner
+
*NTUSER\Software\Privoxy
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
+
*NTUSER\Software\Skype
+
*NTUSER\Software\SmartLine Vision\aports
+
*NTUSER\Software\SysInternals
+
*NTUSER\Software\Sysinternals\RootkitRevealer
+
*NTUSER\Software\VMware
+
*NTUSER\Software\WinRAR\ArcHistory
+

Revision as of 07:18, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Note that the term cyber is arguable misused [1] and in this context "Cyber Threat Intelligence" should be considered "Digital Threat Intelligence", "Internet Threat Intelligence" or equivalent.

Standards

  • IODEF
  • OpenIOC
  • Stix/Cybox

IODEF

OpenIOC

Cons:

  • Very Mandiant product centric standard

Stix/Cybox

External Links

IODEF

OpenIOC

Stix/Cybox

Tools