Difference between pages "List of Windows MRU Locations" and "SIMIS"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==Common==
+
== SIMIS 2G ==  
'''Regedit - Last accessed key'''
+
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
+
'''Regedit - Favorites'''
+
:Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
+
'''MSPaint - Recent Files'''
+
:Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
+
'''Wordpad - Recent Files '''
+
:Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
+
'''Common Dialog - Open'''
+
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
+
'''Common Dialog - Save As '''
+
:Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
+
'''WMP8 XP - Recent Files'''
+
:Software\Microsoft\MediaPlayer\Player\RecentFileList
+
'''WMP 8 XP - Recent URLs '''
+
:Software\Microsoft\MediaPlayer\Player\RecentURLList
+
'''OE6 Stationery list 1 - New Mail'''
+
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List (ID=example)
+
'''OE 6 Stationery list 2 - New Mail'''
+
:Identities\{C19958F2-22F3-4C6A-9AE0-12049CE0706F}\Software\Microsoft\Outlook Express\5.0\Recent Stationery Wide List (ID=example)
+
  
==Windows 2000/XP==
+
'''Feature Overview'''
'''XP Search Files'''
+
* Forensically safe - no facility for the modification of system or user data held on the SIM
:Software\Microsoft\Search Assistant\ACMru\5603
+
* Correctly handles PIN and PUK entry under controlled conditions.
'''Internet Search Assistant '''
+
* Builds a database with unique file references for each SIM Card.
:Software\Microsoft\Search Assistant\ACMru\5001
+
* Searchable database with appropriate index categories.
'''Printers, Computers and People'''
+
* Facility to read data from the SIMIS Mobile card interrogation unit.
:Software\Microsoft\Search Assistant\ACMru\5647
+
* Presents data in a printable format for reports.
'''XP Start Menu - Recent'''
+
* Provides commented RAW data in a standard format for use in third party applications.
:Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
+
'''Remote Desktop - Connect'''
+
:Software\Microsoft\Terminal Server Client\Default [MRUnumber]
+
'''Run dialog box'''
+
:Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
+
  
==Windows ME, 98, and 95==
 
'''Doc Find Spec MRU'''
 
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
 
'''Find Computer'''
 
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FindComputerMRU
 
'''Printer Ports'''
 
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PrnPortsMRU
 
'''Run'''
 
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 
'''Window Size/Position'''
 
:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
 
  
==Microsoft Office 2000==
+
Typically a SIMIS package consists of:
'''Winword - Open'''
+
* PC based software application
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
+
* PC/SC Smart Card Reader (USB or Serial)
'''Winword - Save As'''
+
* Mini-Sim Adapter
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
+
* USB License Key
'''Winword - Recent Files'''
+
:Software\Microsoft\Office\9.0\Word\Data
+
'''Excel - Open'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Open\File Name MRU
+
'''Excel - Save As'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Excel\Settings\Save As\File Name MRU
+
'''Excel  - Recent Files'''
+
:Software\Microsoft\Office\9.0\Excel\Recent Files
+
'''Frontpage - Open'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Open File\File Name MRU
+
'''Frontpage - Save As'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft FrontPage\Settings\Save As\File Name MRU
+
'''Frontpage - Recent lists'''
+
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
+
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
+
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Web List
+
:Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recently Created Servers
+
:Software\Microsoft\FrontPage\Editor\Recently Used URLs
+
'''PowerPoint - Open'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Open\File Name MRU
+
'''PowerPoint - Save As'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
+
'''PowerPoint - Recent Files'''
+
:Software\Microsoft\Office\9.0\PowerPoint\Recent File List
+
'''Access - Open'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\Open\File Name MRU
+
'''Access - Filename MRU'''
+
:Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Access\Settings\File New Database\File Name MRU
+
:Software\Microsoft\Office\9.0\Access\Settings
+
  
==Internet Explorer==
+
There is also the option to use a PC Card (PCMCIA) Reader for laptops and notebooks.
'''Recently Entered Addresses'''
+
:USERNAME\software\microsoft\internet explorer\typedurls
+
'''Last Directory Saved To'''
+
:USERNAME\software\microsoft\internet explorer
+
  
==Adobe==
 
'''Media Browser'''
 
:HKEY_CURRENT_USER\Software\Adobe\MediaBrowser\MRU
 
'''Acrobat 5.0 Full'''
 
:HKEY_CURRENT_USER\Software\ADOBE\Adobe Acrobat\5.0\AVGeneral\cRecentFiles
 
'''Acrobat Reader 5.0'''
 
:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
 
'''Acrobat 8.0 Standard'''
 
:HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\AVGeneral\cRecentFiles [[User:Pmow|Pmow]] 16:14, 23 July 2008 (UTC)
 
  
==Windows Explorer==
+
'''The Search Engine'''
'''List of Recent Programs Opened'''
+
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
+
'''Save Locations by Filetype'''
+
:HKEY_USERS\USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
+
'''Most Recent Application's Use of DirectX'''
+
:software\microsoft\direct3d\mostrecentapplication
+
'''List of Recent Files Opened, by Filetype'''
+
:USERNAME\software\microsoft\windows\currentversion\explorer\recentdocs
+
  
==Kazaa==
+
The SIMIS database search engine, allows comprehensive searches to be made across all SIM cards data that have been interrogated. Searches can be carried out across the entire database, or can be narrowed down to things like a specific case reference, or a specific mobile number.
'''Recent Search List'''
+
:USERNAME\software\kazaa\search
+
  
==Registry Editor==
+
A typical search would allow you to enter a mobile phone number and identify if that number was held in the ADN of any card previously interrogated - potentially opening up new lines of inquiry in investigations, or linking suspected criminals and networks together.
'''Last Key Accessed'''
+
:USERNAME\software\microsoft\windows\currentversion\applets\regedit
+
==Sources==
+
  
[http://www.daniweb.com/tutorials/tutorial66079.html Registry MRU Locations]
+
== SIMIS 3G ==
 +
SIMIS 3G provides the examiner with broadly similar features and facilities to SIMIS 2, however the 3G 'SIM' holds a vast amount of user and network information. SIMIS 3G is a most comprehensive tool for the recovery and clear precise presentation of the data.
  
[http://support.microsoft.com/kb/142298 How to Clear the Windows Explorer MRU Lists]
+
SIMIS 3G presents the recovered data in its original language (Unicode fully supported), in an easily browsable format, complete with comprehensive print facilities and selectable scan depth. SIMIS 3G allows the examiner to view recovered data (including phone book contacts and numbers, SMS text messages, deleted text messages, time and date information and more )
 +
 
 +
SIMIS3G provides access to all areas of the USIM, however SIMIS3G was designed to be intuitive and easy to use, requiring no detailed knowledge of the USIM operating system. SIMIS3G will generate human readable clear consice reports for each USIM interrogation, with optional additional user entered information such as, operator name, case ID, exhibit number, Handset type etc.
 +
 
 +
Recovered data is secured against tampering using both MD5 and SHA-1 hashing techniques. Recovered data, reports and hashing codes are stored locally in unique folders to ensure integrity of data and ease of access.
 +
 
 +
Dual SIMIS 2 and SIMIS3G licensing with Auto Detect of card format allows the user to harvest data in a clean simple environment with robust powerful tools, configured for everyday use.
 +
 
 +
SIMIS 3G has been evaluated tested and used by leading mobile intelligence examiners and forensic experts. Meeting or exceeding their every needs.
 +
 
 +
 
 +
'''SIMIS 3G is comprised of:'''
 +
* USB card readers (PCSC Industry standard)
 +
* PC software on CDROM
 +
* mini sim adapter and USIM storage card
 +
* license

Revision as of 16:08, 23 September 2008

SIMIS 2G

Feature Overview

  • Forensically safe - no facility for the modification of system or user data held on the SIM
  • Correctly handles PIN and PUK entry under controlled conditions.
  • Builds a database with unique file references for each SIM Card.
  • Searchable database with appropriate index categories.
  • Facility to read data from the SIMIS Mobile card interrogation unit.
  • Presents data in a printable format for reports.
  • Provides commented RAW data in a standard format for use in third party applications.


Typically a SIMIS package consists of:

  • PC based software application
  • PC/SC Smart Card Reader (USB or Serial)
  • Mini-Sim Adapter
  • USB License Key

There is also the option to use a PC Card (PCMCIA) Reader for laptops and notebooks.


The Search Engine

The SIMIS database search engine, allows comprehensive searches to be made across all SIM cards data that have been interrogated. Searches can be carried out across the entire database, or can be narrowed down to things like a specific case reference, or a specific mobile number.

A typical search would allow you to enter a mobile phone number and identify if that number was held in the ADN of any card previously interrogated - potentially opening up new lines of inquiry in investigations, or linking suspected criminals and networks together.

SIMIS 3G

SIMIS 3G provides the examiner with broadly similar features and facilities to SIMIS 2, however the 3G 'SIM' holds a vast amount of user and network information. SIMIS 3G is a most comprehensive tool for the recovery and clear precise presentation of the data.

SIMIS 3G presents the recovered data in its original language (Unicode fully supported), in an easily browsable format, complete with comprehensive print facilities and selectable scan depth. SIMIS 3G allows the examiner to view recovered data (including phone book contacts and numbers, SMS text messages, deleted text messages, time and date information and more )

SIMIS3G provides access to all areas of the USIM, however SIMIS3G was designed to be intuitive and easy to use, requiring no detailed knowledge of the USIM operating system. SIMIS3G will generate human readable clear consice reports for each USIM interrogation, with optional additional user entered information such as, operator name, case ID, exhibit number, Handset type etc.

Recovered data is secured against tampering using both MD5 and SHA-1 hashing techniques. Recovered data, reports and hashing codes are stored locally in unique folders to ensure integrity of data and ease of access.

Dual SIMIS 2 and SIMIS3G licensing with Auto Detect of card format allows the user to harvest data in a clean simple environment with robust powerful tools, configured for everyday use.

SIMIS 3G has been evaluated tested and used by leading mobile intelligence examiners and forensic experts. Meeting or exceeding their every needs.


SIMIS 3G is comprised of:

  • USB card readers (PCSC Industry standard)
  • PC software on CDROM
  • mini sim adapter and USIM storage card
  • license