I'm curious as to what sort of information analysts and in particular LEOs are looking for in a Windows Registry reference.
Sticking to just 2K+ (including XP and 2K3), I'd like to know: 1. What are LEOs and analysts looking for? What format is easiest to use? Spreadsheet? Database? 2. What kinds of things do you want to know about the keys? Where they come from? How/when they're created/updated? 3. Besides MS keys, what other applications are of interest? 4. What references do you use already? Are you maintaining a local list? Do you access online references (if so, can you share the links/URLs)? How credible are your references? I think that there's a need for consolidation, testing/analysis (to verify and establish credibility), and a way to make it available to everyone who needs it. Perhaps a way to do with would be to have a central location, maintained by one person (or a small group) with requirements for submissions and updates. That way, the list could be available to all, with at least some assurance that a process is followed and updates aren't made lightly. Thoughts? Submissions? H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com
