Key Considerations for ScreenSharing

  • User vs. System Actions: Not every Registry change is malicious or user-initiated. Correlate Registry key LastWriteTimes with other artifacts (Prefetch, Journal, Event Logs) to establish context. Look for manual access via regedit.exe/reg.exe.

  • Permissions: HKLM modifications typically require administrator privileges. HKCU changes are user-specific.

  • Timestamps: Focus on the "Last Write Time" of keys, indicating the last modification within that key.

  • Deleted Values/Keys: Finding deleted entries, especially in BAM, UserAssist, or OpenSavePidlMRU, via tools like Registry Explorer is a very strong indicator of deliberate evidence clearing/tampering.

PreviousForensically Relevant Registry Keys/LocationsNextEvent Viewer (Basic Usage for Common IDs)

Last updated