Many people ask me about the location in the Registry or file system that applications store the passwords. So I prepared a list of password storage locations for popular applications.
Be aware that even if you know the location of the saved password, it doesn't mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile.
While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!Read more from Windows Incident Response
Read More from SANS Forensic BlogApparently the Windows registry keeps track of the display size of a folder window across different sessions. This information is stored in the registry, and is not cleaned up when the associated folders are deleted.
Is anybody drooling yet?
Even better, it keeps these values for folders that reside on external storage! Ever want to know what the folder structure on a suspect’s USB stick that you didn’t get looked like? Read on!
The data is stored as binary blobs under the following registry keys:
- HKCU\Software\Microsoft\Windows\Shell\BagMRU
- HKCU\Software\Microsoft\Windows\Shell\Bags
- HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
- HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags
Posts
