Author Name
Corey Harrell
Artifact Name
UserInfo
Artifact/Program Version
Windows Registry
Description
Microsoft Office documents contain metadata that show when a file was
created, modified, and user names. The user names in Microsoft Office
documents’ metadata is pulled from the UserInfo registry key of the
user account’s registry hive performing the actions. The values
responsible in the UserInfo registry are the UserName and Company
values.
The population of the data in the UserName and Company registry values
varies. The values are populated in the user account that installed
Microsoft Office with the user name and company entered during
installation. For the user accounts that are using Microsoft Office
but didn’t install it, the values are populated a little different.
The first time the user launches an Office application a dialog box
appears asking for the user name and initials. The information entered
in the dialog box is what results in the UserName value in the user’s
UserInfo registry key. The location of the UserInfo registry key
varies depending on the version of Microsoft Office installed on the
system.
Registry Keys
Microsoft Office 2007: HCU\Software\Microsoft\Office\Common\UserInfo
Microsoft Office 2003:
HCU\Software\Microsoft\Office\11.0\Common\UserInfo
Research Links
http://support.microsoft.com/kb/821550
http://journeyintoir.blogspot.com/2011/06/why-is-it-what-it-is.html
Forensic Programs of Use
Registry viewer such as the free MiTeC Windows Registry Recovery
轉自 http://forensicartifacts.com/2011/06/userinfo-windows/
Corey Harrell
Artifact Name
UserInfo
Artifact/Program Version
Windows Registry
Description
Microsoft Office documents contain metadata that show when a file was
created, modified, and user names. The user names in Microsoft Office
documents’ metadata is pulled from the UserInfo registry key of the
user account’s registry hive performing the actions. The values
responsible in the UserInfo registry are the UserName and Company
values.
The population of the data in the UserName and Company registry values
varies. The values are populated in the user account that installed
Microsoft Office with the user name and company entered during
installation. For the user accounts that are using Microsoft Office
but didn’t install it, the values are populated a little different.
The first time the user launches an Office application a dialog box
appears asking for the user name and initials. The information entered
in the dialog box is what results in the UserName value in the user’s
UserInfo registry key. The location of the UserInfo registry key
varies depending on the version of Microsoft Office installed on the
system.
Registry Keys
Microsoft Office 2007: HCU\Software\Microsoft\Office\Common\UserInfo
Microsoft Office 2003:
HCU\Software\Microsoft\Office\11.0\Common\UserInfo
Research Links
http://support.microsoft.com/kb/821550
http://journeyintoir.blogspot.com/2011/06/why-is-it-what-it-is.html
Forensic Programs of Use
Registry viewer such as the free MiTeC Windows Registry Recovery
轉自 http://forensicartifacts.com/2011/06/userinfo-windows/
0 意見: