O material publicado é parte do material base de criação das aulas/exercícios/prova da Disciplina "Forense em Windows" no Mestrado em Informática Forense da UnB.
Livros:
I - Windows Forensic Analysis v2, Harlan Carvey
Capítulo 3 – Windows Memory Analysis, Capítulo 4 – Registry Analysis
II - EnCE – The Official Encase Certified Examiner Study Guide, 2nd Edition, Steve Bunting
Capítulos 3 – First Response e 9 – Windows Operating System Artifacts e 10 – Advanced Windows - Registry
III - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin
Capítulos 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps e 9 – Analysis of a Suspect Program
IV – Microsoft Windows Registry Guide, 2nd Edition
V - Livro "Registry Forensics" ainda a ser publicado pelo Harlan Carvey <= Update: Publicado em Jan/2011 - http://www.amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/1597495808
Papers / Documentações:
“Inside the Registry” Windows NT Magazine – Mark Russinovich
Windows 7 UserAssist Registry Keys - Didier Stevens: Into The Box Magazine.
Guide To Profiling USB Device Thumbdrives and Drive Enclosure on Win7, Vista, and XP http://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf
RegRipper Documentation - http://regripper.net/RR/Documents/Documents.zip - Registry Reference Deleted Apps ACMRU Windows Forensic Analysis - RegRipper version 2.02 Cheat Sheet
Registry Quick Find Chart Registry Offset UserAssist Registry Key
Forensic Analysis of the Windows Registry in Memory - Brendan Dolan-Gavitt: http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
Recovering Deleted Data From the Windows Registry - Timothy Morgan: http://www.dfrws.org/2008/proceedings/p33-morgan.pdf
Forensic Analysis of Unnalocated Space in Windows Registry Hive Files – Jolantha Thomasen (University of Liverpool)
Ferramentas:
1) Virtual Machines:
2) Ferramentas Free/GPL:
2.1 - FTKImager - http://www.accessdata.com/downloads.html#FTKImager
2.2 - Process Monitor - Sysinternals - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2.2 - Process Monitor - Sysinternals - http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
2.6 – Registry Summary Report Files - AccessData: http://www.accessdata.com/downloads/rsrfiles/AllRSRFiles.zip
3) Ferramentas Comerciais:
3.1 – AccessData FTK 3.1 + Registry Viewer – http://www.accessdata.com
3.2 – Encase Forensics 6.17 – http://www.guidancesoftware.com
UserAssist Decoder V3.3 Enscript - https://support.guidancesoftware.com/forum/downloads.php?do=file&id=832 (requer acesso ao suporte da Guidance)
Registry Examiner Enpack - https://support.guidancesoftware.com/forum/downloads.php?do=file&id=752
