Difference between pages "Windows 7" and "Cyber Threat Intelligence"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(NTUSER Registry)
 
 
Line 1: Line 1:
 +
{{expand}}
  
 +
Note that the term cyber is arguable misused [http://en.wikipedia.org/wiki/Internet-related_prefixes] and in this context "Cyber Threat Intelligence" should be considered "Digital Threat Intelligence", "Internet Threat Intelligence" or equivalent.
  
== File Structure ==  
+
== Standards ==
File systems are covered separately.
+
* IODEF
 +
* OpenIOC
 +
* Stix/Cybox
  
== SSD ==
+
=== IODEF ===
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:  
+
=== OpenIOC ===
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
Cons:
 +
* Very Mandiant product centric standard
  
+
=== Stix/Cybox ===
  
 +
== External Links ==
 +
* [http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing-microsoft-interflow.aspx Driving a Collectively Stronger Security Community with Microsoft Interflow], by Jerry Bryant, June 23, 2014
  
== Jump Lists ==
+
=== IODEF ===
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
* [http://tools.ietf.org/html/rfc5070 RFC 5070 - The Incident Object Description Exchange Format]
  
== Registry ==  
+
=== OpenIOC ===
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
* [http://www.openioc.org/ The OpenIOC framework]
  
=== Known Registry keys of forensic interest ===
+
=== Stix/Cybox ===
 +
* [http://cybox.mitre.org/ Cyber Observable eXpression]
 +
* [https://stix.mitre.org/ Structured Threat Information eXpression]
  
====SAM Registry====
+
== Tools ==
*SAM\SAM\Domains\Account\Users
+
* [[Mantis]]
*SAM\Domains\Builtin\Aliases
+
 
+
 
+
====Security Registry====
+
 
+
*Security\Policy\PolAcDmSPolicy\PolPrDmS
+
*Security\Policy\PolAdtEv
+
*Security\Policy\Secrets
+
 
+
====NTUSER Registry====
+
*NTUSER\Control Panel\Desktop
+
*NTUSER\Control Panel\don\
+
*NTUSER\Environment
+
*NTUSER\Network
+
*NTUSER\Printers\Settings\Wizard\ConnectMRU
+
*NTUSER\Software\Adobe\Acrobat Reader\Software\Adobe\Acrobat Reader\
+
*NTUSER\Software\Ahead
+
*NTUSER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users
+
*NTUSER\Software\Ares
+
*NTUSER\Software\bindshell.net\Odysseus
+
*NTUSER\Software\Blizzard Entertainment\Warcraft III\String
+
*NTUSER\Software\Cain\Settings
+
*NTUSER\Software\DECAFme
+
*NTUSER\Software\Google\Google Toolbar\4.0\whitelist
+
*NTUSER\Software\Google\NavClient\1.1\History
+
*NTUSER\Software\JavaSoft\Java Update\Policy\JavaFX
+
*NTUSER\Software\JavaSoft\Prefs\haven
+
*NTUSER\Software\Microsoft
+
*NTUSER\Software\Microsoft\Command Processor
+
*NTUSER\Software\Microsoft\Dependency Walker\Recent File List
+
*NTUSER\Software\Microsoft\IntelliPoint\AppSpecific
+
*NTUSER\Software\Microsoft\Internet Explorer\Main
+
*NTUSER\Software\Microsoft\Internet Explorer\MainSoftware\Microsoft\Windows\CurrentVersion\Explorer\AutoCompleteSoftware\Microsoft\Internet Account Manager\Accounts
+
*NTUSER\Software\Microsoft\Internet Explorer\Settings
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLs
+
*NTUSER\Software\Microsoft\Internet Explorer\TypedURLsTime
+
*NTUSER\Software\Microsoft\MediaPlayer\Player\RecentFileList
+
*NTUSER\Software\Microsoft\Microsoft Management Console\Recent File List
+
*NTUSER\Software\Microsoft\Multimedia\OtherSoftware\Microsoft\CTF\LangBarAddIn
+
*NTUSER\Software\Microsoft\Office\14.0Software\Microsoft\Office\14.0
+
*NTUSER\Software\Microsoft\Office\Software\Microsoft\Office\
+
*NTUSER\Software\Microsoft\OfficeSoftware\Microsoft\Office\
+
*NTUSER\Software\Microsoft\PIMSRV
+
*NTUSER\Software\Microsoft\Search Assistant\ACMru
+
*NTUSER\Software\Microsoft\Snapshot Viewer\Recent File List
+
*NTUSER\Software\Microsoft\Terminal Server Client\DefaultSoftware\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\Terminal Server Client\Servers
+
*NTUSER\Software\Microsoft\User Location Service\Client
+
*NTUSER\Software\Microsoft\Windows Live Contacts\Database
+
*NTUSER\Software\Microsoft\Windows Live Mail
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
+
*NTUSER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Applets
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\PublishingWizard\AddNetworkPlace\AddNetPlace\LocationMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\FileHistory
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Internet Explorer\Main\WindowsSearch
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UFH\SHC
+
*NTUSER\Software\Microsoft\Windows\CurrentVersion\UnreadMail
+
*NTUSER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
+
*NTUSER\Software\Nico Mak Computing\WinZip
+
*NTUSER\Software\ORL\VNCHooks\Application_Prefs
+
*NTUSER\Software\ORL\VNCviewer\MRUSoftware\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\Piriform\CCleaner
+
*NTUSER\Software\Privoxy
+
*NTUSER\Software\RealNetworks\RealPlayer\6.0\Preferences
+
*NTUSER\Software\RealVNC\VNCViewer4\MRU
+
*NTUSER\Software\SimonTatham\PuTTY\SshHostKeys
+
*NTUSER\Software\Skype
+
*NTUSER\Software\SmartLine Vision\aports
+
*NTUSER\Software\SysInternals
+
*NTUSER\Software\Sysinternals\RootkitRevealer
+
*NTUSER\Software\VMware
+
*NTUSER\Software\WinRAR\ArcHistory
+

Revision as of 02:18, 25 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Note that the term cyber is arguable misused [1] and in this context "Cyber Threat Intelligence" should be considered "Digital Threat Intelligence", "Internet Threat Intelligence" or equivalent.

Standards

  • IODEF
  • OpenIOC
  • Stix/Cybox

IODEF

OpenIOC

Cons:

  • Very Mandiant product centric standard

Stix/Cybox

External Links

IODEF

OpenIOC

Stix/Cybox

Tools