{"id":55827,"date":"2022-08-31T09:01:29","date_gmt":"2022-08-31T01:01:29","guid":{"rendered":"https:\/\/version-2.com\/?p=55827"},"modified":"2022-09-29T17:41:12","modified_gmt":"2022-09-29T09:41:12","slug":"windows-registry-forensics-pt-2","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/08\/windows-registry-forensics-pt-2\/","title":{"rendered":"Windows Registry Forensics – Pt. 2"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\"\"<\/p>\n\n

Intro<\/h3>

I talked for a bit about the Windows Registry and what are its main purposes, as well as what we can do with it; before delving further into that, I wanted to briefly mention a tool you might use for your forensic Analysis \u2013 Autopsy.<\/p>

I will also just touch upon another tool you might use as well \u2013 FTK Imager.<\/p>

Finally, I will also provide some useful links at the end of the article.<\/p>

 <\/h3>

Data Acquisition<\/h3>

So, you have a disk to analyze, and want to access it so you can dig around for useful artifacts to uncover what has transpired on the said system. Remember that your disk needs cloning\/imaging \u2013 this is best practice, and you should always try to copy the data you want to do some forensics on. This is also known as data acquisition.<\/em><\/p>

By now, you know that you can look at the Windows Registry with the registry editor (regedit.exe), however the best way to do this is to acquire a copy of that data and analyze the copy.<\/p>

Tooling<\/h3>

You can go to %WINDIR%\\System32\\Config <\/strong>and try to copy those files that are in fact our registry hives:<\/p>

I selected the files here and tried to copy them to my Desktop:<\/p>

After checking the box and clicking on continue, Windows won\u2019t let me copy the files to the desktop:<\/p>

This happens because the files are restricted.<\/p>

Luckily, there are tools that can help us with acquisition of the registry hive files. One such tool is Autopsy<\/a>, which lets you acquire data from both live system and disk images.<\/p>

Once installed and ran, you need to create a new case:<\/p>

You then have some optional info to fill, to help you stay organized etc. (I won\u2019t be doing that here \u2013 see the image below)<\/p>

Further, you need to add a data source:<\/p>

I am choosing Disk Image or VM file here which I previously downloaded from the Cfreds (Computer Forensics Reference DataSet portal) found here<\/a>:<\/p>

Note that if you download the dataset I linked, you should download all the files from .7z.001 to .7z.003 and place them in the same folder; afterward, just extract the .001 and 7z will know to merge the three files together, giving you the disk image I am using in the article here.<\/em><\/p>

For the configure ingest step, you can do a lot of stuff here, but I am choosing just two options \u2013 Recent Activity <\/em>and File Type Identification<\/em>. If you were to choose all for let\u2019s say a disk that\u2019s slightly larger, you\u2019d have to wait for a bit, before Autopsy did all its stuff.<\/p>

Now, I just must wait for Autopsy to do its thing and see what I\u2019ve got!<\/p>

One more quick note: This can take some time and eat up your RAM \u2013 Autopsy 64bit recommends you have 16GB RAM. Also, when ran on Windows it will create a max heap size of 4GB, leaving the remaining memory to the OS, and Solr text indexing service. You can change this value by changing the value of Maximum JVM memory, found under Tools -> Options -> Application as shown in the image below:<\/em><\/p>

Going back to our dataset, the situation is now looking something like this:<\/p>

As you can see in the screenshot above, Autopsy has found a bunch of very interesting things! From Installed software to OS info, Web History, Bookmarks\u2026 so many artifacts! <\/p>

But, since the topic here is the Registry, let\u2019s investigate that specifically.<\/p>

Before going further, I\u2019d like to add that this image comes with 12 questions for you to try and answer. This is perfect for the scope of this article and the reason why I included it.<\/p>

I will answer a couple of questions and leave you to try and solve the others yourself. With some Google-fu, you could probably find the answers online, but for the sake of learning do try to go for the questions yourself first. (There\u2019s even a Youtube video, that I won\u2019t <\/em>link here, but if you get stuck search for it, or write in the comment section of this article and I will share it with you)<\/p>

Practice Questions<\/h3>

The questions are:<\/p>

  1. What operating system was used on the computer?<\/li>
  2. When was the install date?<\/li>
  3. Who is the registered owner?<\/li>
  4. What is the computer name?<\/li>
  5. Who was the last user to logon into PC?<\/li>
  6. What is the account name of the user who mostly uses the computer?<\/li>
  7. When was the last recorded computer shutdown date\/time?<\/li>
  8. What is the timezone settings?<\/li>
  9. Explain the information of network interface(s) with an IP address assigned by DHCP.<\/li>
  10. List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService<\/li>
  11. What applications were installed by the suspect after installing OS?<\/li>
  12. List external storage devices attached to PC.<\/li><\/ol>

    Q1: What operating system was used on the computer?<\/p>

    A: For this, we can look under the Operating System Information \u2013 which is the output for the ingest module:<\/p>

    On the righthand side we can see two source files for the Software hive, by clicking on one of those, we can see in the window below all that Autopsy knows about this image.<\/p>

    From the underlined part above, we can conclude that this is a backup of the Registry \u2013 because of the RegBack in the path.<\/p>

    When we look at the second Software Hive, we can see what OS is used on this computer:<\/p>

    We now know the answer to first question is \u2013 Windows 7 Ultimate SP 1<\/strong>.<\/p>

      <\/p>

    Q2: When was the install date?<\/p>

    A: I will just drop a hint here! The answer is already visible\u2026 no need to even install Autopsy and load the image from this article.<\/p>

    Q3: Who is the registered owner?<\/p>

    A: See above.<\/p>

    Q4: What is the computer name?<\/p>

    A: Same as Q3.<\/p>

    Q5: Who was the last user to logon to the PC?<\/p>

    A:<\/p>

    Q6: What is the account name of the user who mostly uses the computer?<\/p>

    A:<\/p>

    Q7: When was the last recorded computer shutdown date\/time?<\/p>

    A: We can look at the System Hive again, and click on the Application tab (remember to use the one that doesn\u2019t <\/em>have RegBack in its name)<\/p>

    Under application, we drill down to ControlSet001, expand the Control node, and go all the way down to the Windows node (notice the size of the scroll bar)<\/p>

    Highlighting the Windows node, we can see the ShutdownTime key, which we now just need to convert to something human readable<\/p>

    We go to our trusty Cyberchef<\/a> and create our recipe to decode this value.<\/p>

    Step 1<\/strong> \u2013 We change the Little Endian in our Cyberchef recipe \u2013 we used Swap Endianness<\/em> recipe<\/p>

    Note that I copied the value from Autopsy, but removed the whitespaces<\/em><\/p>

    We\u2019re also converting from 8 byte words, so I changed the default 4 byte word length to 8 bytes.<\/p>

    Step 2<\/strong> \u2013 We search for Remove Whitespace <\/em>module and add it to our recipe<\/p>

    Step 3<\/strong> \u2013 We add Windows Filetime to UNIX Timestamp<\/em> to our recipe<\/p>

    The output above is what we\u2019re after, we just need to convert the UNIX timestamp. Also, the default is Decimal, which I changed to Hex (Big Endian)<\/em><\/p>

    Step 4<\/strong> \u2013 For our final step, we add one last ingredient to the recipe \u2013 From UNIX Timestamp<\/em><\/p>

    And that\u2019s it! The answer to our question is \u2013 last recorded shutdown time was on Wednesday, 25th of March, 15:31:05 UTC, 2015<\/strong><\/p>

    *Note that in the Windows Filetime to Unix Timestamp Hex (big endian) is selected. Change it to Little endian, and pay close attention to the output.<\/em><\/p>

    Questions 8 to 12 (and other unanswered questions) are left for you to try and solve. Feel free to share your experiences, results, or anything really, in the comment section!<\/p>

    FTK Imager<\/h3>

    Before concluding, I wanted to mention another tool you might end up using in your analysis \u2013 FTK Imager<\/a>.<\/p>

    This one can also extract files from a disk image (or a live system) through the mounting of the disk\/drive in the program.<\/p>

    Below is one screenshot of my mounted C: drive.<\/p>

    You can also extract the Registry Hives with FTK Imager by clicking on the little yellow safe icon (image above) \u2013 called Obtain Protected Files<\/em>.<\/p>

    This option is only there when a live system is being investigated. Also, I\u2019d like to note that this option, even though it can extract all the hives to a path you chose, it isn\u2019t able to copy the Amcache.hve (See 1st part of the series) which keeps information about executed applications, which are usually interesting (even necessary) to investigate when conducting a forensic analysis \u2013 specifically because it contains evidence about programs last executed.<\/p>

    Conclusion<\/h3>

    I hope you liked my part 2 of the series! It was a blast for me, and I will continue with this topic in the future. <\/p>

    I purposefully chose to make a \u2018demo\u2019 by using a tool, but I will also write about some important artifacts\/keys that you might want to keep in mind when investigating those hives!<\/p>

    Stay tuned.<\/p>

     <\/h4>

    Links\/Resources<\/h4>

    https:\/\/www.autopsy.com\/<\/a><\/p>

    https:\/\/what-when-how.com\/windows-forensic-analysis\/registry-analysis-windows-forensic-analysis-part-1\/<\/a><\/p>

    https:\/\/content-calpoly-edu.s3.amazonaws.com\/cci\/1\/documents\/ccic_forensics_manual\/CCIC%20Chapter%204%20-%20Understanding%20the%20Registry.pdf<\/a><\/p>

    https:\/\/cfreds.nist.gov\/<\/a><\/p>

    Cover image by Alexandre Debi\u00e8ve<\/a><\/p>

    #autopsy #registry #ftk_imager #windows #hives<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t\t\t
    \t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    About Version 2 Digital<\/h3>

    Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n

    \nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    <\/p>\n

    About VRX<\/b>
    VRX <\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

    Intro I talked for a bit about the Windows Registry and […]<\/p>\n","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[476,488,61],"tags":[477,489],"class_list":["post-55827","post","type-post","status-publish","format-standard","hentry","category-vrx","category-488","category-press-release","tag-vrx","tag-489"],"acf":[],"yoast_head":"\nWindows Registry Forensics - Pt. 2 - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Registry Forensics - Pt. 2 - Version 2\" \/>\n<meta property=\"og:description\" content=\"Intro I talked for a bit about the Windows Registry and […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-31T01:01:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-29T09:41:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/windows-registry-forensics-pt-2\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"Windows Registry Forensics – Pt. 2\",\"datePublished\":\"2022-08-31T01:01:29+00:00\",\"dateModified\":\"2022-09-29T09:41:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/windows-registry-forensics-pt-2\\\/\"},\"wordCount\":1566,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl77rgh2r7ydm0nkwduxgbc6j.jpg\",\"keywords\":[\"vRx\",\"2022\"],\"articleSection\":[\"vRx\",\"2022\",\"Press Release\"],\"inLanguage\":\"zh-HK\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/windows-registry-forensics-pt-2\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2\",\"name\":\"Windows Registry Forensics - Pt. 2 - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl77rgh2r7ydm0nkwduxgbc6j.jpg\",\"datePublished\":\"2022-08-31T01:01:29+00:00\",\"dateModified\":\"2022-09-29T09:41:12+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl77rgh2r7ydm0nkwduxgbc6j.jpg\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl77rgh2r7ydm0nkwduxgbc6j.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-2#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows Registry Forensics – Pt. 2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Registry Forensics - Pt. 2 - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2","og_locale":"zh_HK","og_type":"article","og_title":"Windows Registry Forensics - Pt. 2 - Version 2","og_description":"Intro I talked for a bit about the Windows Registry and […]","og_url":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2","og_site_name":"Version 2","article_published_time":"2022-08-31T01:01:29+00:00","article_modified_time":"2022-09-29T09:41:12+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"version2hk","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"13 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#article","isPartOf":{"@id":"https:\/\/version-2.com\/2022\/08\/windows-registry-forensics-pt-2\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"Windows Registry Forensics – Pt. 2","datePublished":"2022-08-31T01:01:29+00:00","dateModified":"2022-09-29T09:41:12+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2022\/08\/windows-registry-forensics-pt-2\/"},"wordCount":1566,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg","keywords":["vRx","2022"],"articleSection":["vRx","2022","Press Release"],"inLanguage":"zh-HK"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2022\/08\/windows-registry-forensics-pt-2\/","url":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2","name":"Windows Registry Forensics - Pt. 2 - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg","datePublished":"2022-08-31T01:01:29+00:00","dateModified":"2022-09-29T09:41:12+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl77rgh2r7ydm0nkwduxgbc6j.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-2#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"Windows Registry Forensics – Pt. 2"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/zh\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-ewr","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/55827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=55827"}],"version-history":[{"count":6,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/55827\/revisions"}],"predecessor-version":[{"id":55833,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/55827\/revisions\/55833"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=55827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=55827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=55827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}