{"id":57809,"date":"2022-09-01T17:42:45","date_gmt":"2022-09-01T09:42:45","guid":{"rendered":"https:\/\/version-2.com\/?p=57809"},"modified":"2022-09-29T17:41:10","modified_gmt":"2022-09-29T09:41:10","slug":"windows-registry-forensics-pt-3","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/09\/windows-registry-forensics-pt-3\/","title":{"rendered":"Windows Registry Forensics \u2013 pt. 3"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/h3>

Intro<\/h3>

\u00a0<\/p>

Continuing where I left off, I will look at some more tools you can use to look at the Registry of your Windows host, as well as some useful keys.<\/p>

\u00a0<\/p>

Tooling<\/h3>

\u00a0<\/p>

I am sure there are many tools out there, created specifically for this purpose, and please feel free to search for them. I will cover the ones that I\u2019ve used or know.<\/p>

From previous parts, you know that the Registry Editor works only with live systems and can\u2019t load exported hives, so keep that in the back of your mind.<\/p>

When you need that offline functionality, you can use some of the following tools.<\/p>

\u00a0<\/p>

Zimmerman\u2019s Registry Explorer<\/h4>

\u00a0<\/p>

The author of this tool has created a bunch of tools that can be extremely handy for performing Digital Forensics. (Check out the stuff here<\/a>)<\/p>

One of those tools is his Registry Explorer<\/em>. Registry Explorer has the ability to load multiple hives at the same time, while it can also use\/add data from the transaction logs into the hive, enriching it with more accurate data. It also has the Bookmarks <\/em>functionality which will contain forensically valuable keys. You can use the bookmarks to immediately pull up some interesting keys and\/or values.<\/p>

<\/p>

Above, I just loaded one hive (SYSTEM) from my live system, and I already have 31 recommendations (bookmarks) from Registry Explorer. As a very simple demo, when I switch over to that tab, I can immediately glean some interesting information. For example, I can immediately pick up the hostname of the device.<\/p>

<\/p>

I filtered out the bookmarks here, showing only the Device Name. As you can see, you even have a small window below with the category, name, path, and description of the key.<\/p>

On the righthand side of this view, I can see my hostname.<\/p>

<\/p>

Under Data, I can see the name of my device \u2013 4w.<\/p>

I will circle back to the Registry Explorer, but let me briefly introduce another tool, for the sake of your awareness.<\/p>

\u00a0<\/p>

RegRipper<\/h4>

\u00a0<\/p>

A useful utility that can take the have as input and spit out a report which will try to extract data from (forensically) important keys\/values within that specific hive. However, note that RegRipper doesn\u2019t take transaction logs into consideration, which is also stated it in the repo\u2019s readme file:<\/p>

This tool does NOT automatically process hive transaction logs. If you need to incorporate data from hive transaction logs into your analysis, consider merging the data via Maxim Suhanov’s yarp + registryFlush.py, or via Eric Zimmerman’s rla.exe which is included in Eric’s Registry Explorer\/RECmd.<\/em><\/p>

Luckily, you can use the Registry Explorer for this.<\/p>

\u00a0<\/p>

SYSTEM \u2013 Registry Explorer<\/h4>

<\/p>

As you can see, Registry Explorer will even give you the ControlSet \u2013 Control Set is basically the hive that keeps the device configuration data that\u2019s used for the control of the system startup.<\/p>

From the image above, Registry Explorer apparently has some knowledge about the USB devices I\u2019ve been plugging in these days\u2026<\/p>

Let\u2019s check it out.<\/p>

<\/p>

The first USB device on the list is an external DVD\/Optical drive that I plugged in to transfer some stuff from a CD. (don\u2019t @ me please, they still have some uses \ud83d\ude0a)<\/p>

And, as you can see, I\u2019ve also plugged in four different USB devices, two of them being Kingston made flash drives. All with the timestamps, etc. (I really did this, as I was transferring\/cleaning up some old stuff.)<\/p>

All this goes to show how simple and useful the Bookmarks option that Registry Explorer has can be.<\/p>

\u00a0<\/p>

Specific Registry Keys<\/h4>

\u00a0<\/p>

Here, I\u2019d like to mention some specific keys\/values that might be of interest to you. This can pertain to system, recently used apps, or even a user. That doesn\u2019t matter.<\/p>

\u00a0<\/p>

OS Version<\/h4>

\u00a0<\/p>

For the OS version, I just view the SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion<\/strong> key.<\/p>

From Registry Explorer, one could ascertain that the device I\u2019m doing this demo from is running Windows 11 Pro.<\/p>

<\/p>

Current Control Set<\/h4>

\u00a0<\/p>

As I mentioned before, this hive will have the device config data that is used for the control of the system startup. There are (usually) two sets \u2013 ControlSet001 and ControlSet002, within the SYSTEM hive.<\/p>

Generally, ControlSet001 points to the Control Set your device used to boot. ControlSet002 will be what\u2019s known as last known good <\/em>config.<\/p>

They can be found at SYSTEM\\ControlSet001 and SYSTEM\\ControlSet002.<\/p>

Do note that there\u2019s also a volatile Control Set, created by Windows, when the device is live, and it\u2019s called CurrentControlSet \u2013 location: HKLM\\SYSTEM\\CurrentControlSet.<\/p>

<\/p>

This is an important hive, and the one you will probably end up referring to for the most part of your investigation.<\/p>

In the screenshot above I checked the SYSTEM\\Select and within I\u2019ve found the last known good entry which tells me that the ControlSet001 holds the last known good config.<\/p>

SYSTEM\\Select\\LastKnownGood \u2013 key that will hold the last known good config, regarding the Control Sets.<\/p>

\u00a0<\/p>

Computer Name<\/h4>

\u00a0<\/p>

This one is always important during the investigation, and you will look it up by checking the<\/p>

SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName<\/code><\/pre>
<\/p>
From Registry Explorer. On the righthand side of the app, you\u2019ll see the keys and their values\/data.<\/p>
Timezone Information<\/h4>
\u00a0<\/p>
This one is usually used to figure out the time zone of the device i.e., where it is located. It can help you figure out that timeline of events, which is of great importance to you \u2013 the investigator!<\/p>
You would want to start here:<\/p>
SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation<\/code><\/pre>
\u00a0<\/p>
Devices<\/h4>
\u00a0<\/p>
This is all about tracking the USB devices that were plugged into the system. It will usually contain the vendor id, version of the USB device, and product id. This is cool as it can help you to identify devices themselves. These locations will also store timestamps for the devices that were plugged in.<\/p>
\u00a0\nSYSTEM\\CurrentControlSet\\Enum\\USBSTOR\nSYSTEM\\CurrentControlSet\\Enum\\USB<\/code><\/pre>
\u00a0<\/p>
(I already added this screenshot above, where I mentioned the USB I recently plugged in)<\/p>
It\u2019s also important to know when this USB was plugged in for the first and last time, and you can find that out by checking the<\/p>
SYSTEM\\<CurrentControlSet>\\Enum\\USBSTOR\\<vendor_prod_version>\\<serial>\\Properties\\<some_GUID>\\<value><\/code><\/pre>
The values you are interested in are \u2013 0064, 0066, and 0067. 64 is the first connection time, 66 last connection time, and 67 the last removal time.<\/p>
\u00a0<\/p>
It would look something like this:<\/p>
<\/p>
And, on the right hand side, I can see the timestamp associated with my Kingston USB that I\u2019ve used.<\/p>
For 0067 \u2013 when I removed the USB device:<\/p>
<\/p>
It was on 28th of August, at 17:05. (Which I know is true)<\/p>
<\/p>
Note that Registry Explorer already parses this data, and you can get it if you select the USBSTOR key.<\/p>
\u00a0<\/p>
USB Name<\/h4>
\u00a0<\/p>
The name of the plugged in USB can be found here:<\/p>
\u00a0<\/p>
SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices<\/code><\/pre>
<\/p>
<\/p>
Under data, an investigator would figure out that the USB I used to be named \u2013 GADFLY.<\/p>
\u00a0<\/p>
Conclusion<\/h3>
\u00a0<\/p>
And there you have it! More registry stuff. I\u2019ve been focusing a bit more on the tooling, as it can really save you a lot of time and trouble. But, I will (sometime in the near future) also make a \u2018compilation\u2019 of sorts, regarding more of these interesting keys. Even though I covered some here, there\u2019s a lot more stuff that will be of interest to an investigator.<\/p>
Stay tuned!<\/p>
Cover image by Immo Wegmann<\/a><\/p>
#registry_forensics #windows #registry_explorer #regripper<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
About Version 2 Digital<\/h3>
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n

\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
<\/p>\n
About VRX<\/b>
VRX <\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
Intro \u00a0 Continuing where I left off, I will look at som […]<\/p>\n","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[476,488,61],"tags":[477,489],"class_list":["post-57809","post","type-post","status-publish","format-standard","hentry","category-vrx","category-488","category-press-release","tag-vrx","tag-489"],"acf":[],"yoast_head":"\nWindows Registry Forensics \u2013 pt. 3 - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Registry Forensics \u2013 pt. 3 - Version 2\" \/>\n<meta property=\"og:description\" content=\"Intro \u00a0 Continuing where I left off, I will look at som […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-01T09:42:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-29T09:41:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/09\\\/windows-registry-forensics-pt-3\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"Windows Registry Forensics \u2013 pt. 3\",\"datePublished\":\"2022-09-01T09:42:45+00:00\",\"dateModified\":\"2022-09-29T09:41:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/09\\\/windows-registry-forensics-pt-3\\\/\"},\"wordCount\":1212,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max\",\"keywords\":[\"vRx\",\"2022\"],\"articleSection\":[\"vRx\",\"2022\",\"Press Release\"],\"inLanguage\":\"zh-HK\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/09\\\/windows-registry-forensics-pt-3\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3\",\"name\":\"Windows Registry Forensics \u2013 pt. 3 - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max\",\"datePublished\":\"2022-09-01T09:42:45+00:00\",\"dateModified\":\"2022-09-29T09:41:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/windows-registry-forensics-pt-3#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows Registry Forensics \u2013 pt. 3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Registry Forensics \u2013 pt. 3 - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3","og_locale":"zh_HK","og_type":"article","og_title":"Windows Registry Forensics \u2013 pt. 3 - Version 2","og_description":"Intro \u00a0 Continuing where I left off, I will look at som […]","og_url":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3","og_site_name":"Version 2","article_published_time":"2022-09-01T09:42:45+00:00","article_modified_time":"2022-09-29T09:41:10+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"version2hk","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"10 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#article","isPartOf":{"@id":"https:\/\/version-2.com\/2022\/09\/windows-registry-forensics-pt-3\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"Windows Registry Forensics \u2013 pt. 3","datePublished":"2022-09-01T09:42:45+00:00","dateModified":"2022-09-29T09:41:10+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2022\/09\/windows-registry-forensics-pt-3\/"},"wordCount":1212,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max","keywords":["vRx","2022"],"articleSection":["vRx","2022","Press Release"],"inLanguage":"zh-HK"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2022\/09\/windows-registry-forensics-pt-3\/","url":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3","name":"Windows Registry Forensics \u2013 pt. 3 - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max","datePublished":"2022-09-01T09:42:45+00:00","dateModified":"2022-09-29T09:41:10+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl7j7tlfd02ep0kpc5gf2ah08.jpg?tr=w-1800,c-at_max"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/windows-registry-forensics-pt-3#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/"},{"@type":"ListItem","position":2,"name":"Windows Registry Forensics \u2013 pt. 3"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/zh\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-f2p","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/57809","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=57809"}],"version-history":[{"count":4,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/57809\/revisions"}],"predecessor-version":[{"id":57813,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/57809\/revisions\/57813"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=57809"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=57809"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=57809"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}