Difference between pages "Upcoming events" and "Windows Registry"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
m (See Also)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
==Bibliography==
Events should be posted in the correct section, and in date order. An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training). When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience. Such restrictions should be noted when known.</i>
+
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
  
This listing is divided into four sections (described as follows):<br>
+
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations. This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv.
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|ShmooCon 2009
+
|Dec 01, 2008
+
|Jan 01, 2009
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|Security Opus
+
|Dec 01, 2008
+
|Jan 31, 2009
+
|http://www.securityopus.com/SORpapers.php
+
|-
+
|AusCERT Conference 2009
+
|Dec 05, 2008
+
|Jan 30, 2009
+
|http://conference.auscert.org.au/conf2009/cfp2009.html
+
|-
+
|Blackhat Briefings - Washington DC
+
|Jan 01, 2009
+
|Jan 16, 1009
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html
+
|-
+
|Hacker Halted USA 2009
+
|Jan 15, 2009
+
|Feb 15, 2009
+
|http://www.eccouncil.org/hhusa/papers/page6.html
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009)
+
|Feb 01, 2009
+
|
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|Blackhat Briefings - Europe
+
|Feb 01, 2009
+
|Feb 15, 2009
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.
+
|-
+
|Usenix Security 2009
+
|Feb 04, 2009
+
|Apr 13, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|KDDD 2009
+
|Feb 02, 2009
+
|Apr 10, 2009
+
|http://www.sigkdd.org/kdd2009/
+
|-
+
|DFRWS 2009
+
|Mar 16, 2009
+
|Apr 28, 2009
+
|http://www.dfrws.org/2009/cfp.shtml
+
|-
+
|ACM CCS 2009
+
|Apr 2009
+
|
+
|http://www.sigsac.org/ccs
+
|-
+
|New Security Paradigms Conference 2009
+
|Apr 2009
+
|
+
|http://www.nspw.org/current/
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov 2009
+
|
+
|
+
|-
+
|}
+
  
== Conferences ==
+
==File Locations==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
===Windows XP===
|- style="background:#bfbfbf; font-weight: bold"
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
! width="40%"|Title
+
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
! width="20%"|Date/Location
+
* HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
! width="40%"|Website
+
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
|-
+
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
|6th Australian Digital Forensics Conference
+
* HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
|Dec 01-03<br>Mount Lawley, WA, Australia
+
 
|http://scissec.scis.ecu.edu.au/conferences2008/index.php?cf=2
+
===Windows 98/ME===
|-
+
* \Windows\user.dat
|Pacific Information Security Forum
+
* \Windows\system.dat
|Dec 02-03, San Francisco, CA
+
* \Windows\profiles\user profile\user.dat
|http://www.ianetsec.com/forums/event_summary.html?label=45
+
 
|-
+
==Tools==
|IEEE International Workshop on Information and Data Assurance
+
===Open Source===
|Dec 07<br>Austin, TX
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
|http://ipccc.org/ipccc2008/main.php?page=6#workshop3
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
|-
+
* [http://www.regripper.net/ RegRipper] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
|Digital Forensics Forum Arabia 2008
+
===Commercial===
|Dec 15-17<br>Manama, Bahrain
+
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
|http://dff-worldwide.com/index.php?page=dff-arabia-2008-conference&hl=en_US
+
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
|-
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
|e-Forensics 2009
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
|Jan 19-21<br>Adelaide, Australia
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
|http://www.e-forensics.eu/
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
|-
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
|2009 DoD Cyber Crime Conference
+
* [http://registrytool.com/ Registry Tool]
|Jan 24-30<br>St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28<br>Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08<br>Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21<br>Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|Blackhat DC
+
|Feb 16-19<br>Washington, DC
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12<br>Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|ARES 2009 Conference
+
|Mar 16-19<br>Fukuoka, Japan
+
|http://www.ares-conference.eu/conf/
+
|-
+
|Security Opus
+
|Mar 17-18<br>San Francisco, CA
+
|http://www.securityopus.com
+
|-
+
|e-Crime Congress 2009
+
|Mar 24-25, London, United Kingdom
+
|http://www.e-crimecongress.org/ecrime2009/
+
|-
+
|Blackhat Europe
+
|Apr 14-17<br>Amsterdam, The Netherlands
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html
+
|-
+
|AusCERT2009
+
|May 17-22<br>Gold Coast, Australia
+
|http://conference.auscert.org.au/conf2009/
+
|-
+
|Computer Security Institute: Security Exchange
+
|May 17-22<br>Las Vegas, NV
+
|http://www.csisx.com/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22<br>Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22<br>Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|2009 Techno Security Conference
+
|May 31-Jun 03<br>Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|Mobile Forensics World 2009
+
|Jun 03-06<br>Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18<br>Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|Blackhat USA 2009
+
|Jul 25-30<br>Las Vegas, NV
+
|https://www.blackhat.com/
+
|-
+
|DefCon 17
+
|Jul 31-Aug 02<br>Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|Usenix Security Sypmosium
+
|Aug 10-14<br>Montreal, Quebec, Canada
+
|http://www.usenix.org/events/sec09/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19<br>Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11<br>Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|}
+
  
== On-going / Continuous Training ==
 
{| border="0" cellpadding="2" cellspacing="2" align="top"
 
|- style="background:#bfbfbf; font-weight: bold"
 
! width="40%"|Title
 
! width="20%"|Date/Location
 
! width="40%"|Website
 
|-
 
| ----DISTANCE LEARNING----
 
|-
 
|Basic Computer Examiner Course - Computer Forensic Training Online
 
|Distance Learning Format
 
|http://www.cftco.com
 
|-
 
|Linux Data Forensics Training
 
|Distance Learning Format
 
|http://www.crazytrain.com/training.html
 
|-
 
|SANS On-Demand Training
 
|Distance Learning Format
 
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
 
|-
 
| ----RECURRING TRAINING----
 
|-
 
|MaresWare Suite Training
 
|First full week every month<br>Atlanta, GA
 
|http://www.maresware.com/maresware/training/maresware.htm
 
|-
 
|Evidence Recovery for Windows Vista&trade;
 
|First full week every month<br>Brunswick, GA
 
|http://www.internetcrimes.net
 
|-
 
|Evidence Recovery for Windows Server&reg; 2003 R2
 
|Second full week every month<br>Brunswick, GA
 
|http://www.internetcrimes.net
 
|-
 
|Evidence Recovery for the Windows XP&trade; operating system
 
|Third full week every month<br>Brunswick, GA
 
|http://www.internetcrimes.net
 
|-
 
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
 
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
 
|http://www.md5group.com
 
|-
 
|}
 
 
==See Also==
 
==See Also==
* [[Scheduled Training Courses]]
+
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
==References==
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
[[Category:Bibliographies]]
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 +
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 +
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 +
* http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 +
* [http://sourceforge.net/projects/regviewer/ RegViewer] - a program for viewing NT Registry files.
 +
* [http://projects.sentinelchicken.org/reglookup/ RegLookup]
 +
 
 +
 
 +
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.

Revision as of 02:30, 27 December 2009

Bibliography

File Locations

Windows XP

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."

Commercial

See Also