The Windows Registry maintains a great deal of information regarding system configuration, user activity and so on. Installed Programs artifact is among the useful artifacts extracted from the registry hives. The artifact contains details about the applications installed on the system.
Installed Programs artifact retain information such as the name of the installed application, version, size, publisher, date when the application was last installed or updated, location of the application's executable and many other details related to the applications installed on the system. Retrieving such information may have a significant impact on forensic examinations.
Installed Programs artifact is extracted from the SOFTWARE registry hive at the following locations:
The NTUSER.DAT hive also stores information related to the applications installed on the system at:
The Uninstall key contains information related to the applications installed on the system. As demonstrated
in the figure below, each application installed has its own key. The values within each subkey contains
detailed information about that application such as the name of the installed application, version, size,
and so on.
This section discusses how to use ArtiFast Windows to analyze Installed Programs artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Installed Programs artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Installed Programs artifact in ArtiFast Windows.
Installed Programs Artifact
This artifact contains information related to the
applications installed on a system. The details you can view include:
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com