Registry: MUICache




Artifact Name
MUICache


Artifact/Program Version
Windows


Description
According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”
This key is similar to the UserAssist key in that it shows you programs that have been run on the system. This key is useful when looking for evidence of malware, virtualization, or “evidence cleaning” programs.
Please see the additional description from “Windows Forensic Analysis” in the first Research Link.


Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache


Research Links
- Google Book Preview – Windows Forensic Analysis
- http://windowsir.blogspot.com/2005/12/mystery-of-muicachesolved.html


Forensic Programs of Use
- http://www.nirsoft.net/utils/muicache_view.html
- http://regripper.net






轉自 http://forensicartifacts.com/2010/08/registry-muicache/

0 意見: