 |
 |
 |
| Home |  |
About Us | |
Sign Up | |
Downloads | |
FAQ | |
Contact Us |
 |
 |
 |
|
|
|||||||||||||||||||||||
|
Select the partition that contains the operating system files (i.e. Documents and Settings, WINDOWS). Usually hda1.
This will locate and open the registry files and internet history files from the suspect computer.
LHF fields
Step3 Reporting - Once you have loaded a registry file or internet history file you can create a report. Of findings 1: By select the registry hive(s) or internet history file(s) you are selecting to only report on items in that registry or history file. 2: Selecting the checked field will generate a report on any key from the filter list that contains entries. 3: The Build Report option. Once you have selected the registry or history file of interest and the keys you wish to report on. Select the Build Report option to create a report In the example above we have selected to only list keys that are in the SYSTEM registry file. This would not list any keys that were in the NTUSER.dat but were selected.
Once you select Build Report LHF will search the registry file for any keys from the filter list that have values associated with that key. Keys that are blank will not be reported on.
The report lists the keys that contain values that were checked. Report of internet history Creating an internet history report will not use the registry filter unless a registry hive has been selected to be included in the report.
Selecting two internet history files from the suspect computer. User Administrator and Peter.FORENSIC1
1. Select the location to save the report. Reports can be saved as HTML or CSV.
2. Case notes saved in the reports
3. Reports Tab. Choose to view the Registry or Internet history reports. Adding custom filters (useful for license audits)
Select the + sign to add a new key to search and report on.
Add the detail of the registry key In the example above we have added. The key for identifying the USBSTOR information. The file the key will be in: SYSTEM The key location: ControlSet001\Enum\USBSTOR Filter method: All subkeys and values The description: All plugged in USB devices. Adding custom filters (useful for license audits)
1. Select the SYSTEM registry key. 2. Select only the key we added. 3. Select build report
The resultant report on USBSTOR key
Other filter commands Open registry or internet history from a file Sometime all you have is a extracted registry or internet file (i.e extracted from a Access Data FTK case)
Select the Open registry from a file option
Select the location of the registry file.
You will be asked to enter a name to identify the registry. Normally the suspects name.
This will add the registry file to LHF. Using the Build Report button You can now report on the registry entries.
The resultant report. Creating Custom Filters sets |
||||||||||||||||||||||||
Start the Triage LHF.exe
