Windows AutoRun Items are registry-based entries and related startup
mechanisms used by Windows and installed applications to load components
automatically. These entries may reference executable files, DLLs, shell
extensions, credential providers, handlers, and other components that
are started or made available when specific system or user activity
occurs.
Windows AutoRun Items can be a valuable source of persistence and
execution evidence during Windows investigations. The artifacts left by
AutoRun entries may contain file names, file paths, registry key
timestamps, command values, startup trigger conditions, item types, and
related metadata. These elements can be used to identify programs or
components configured to run automatically, review possible persistence
mechanisms, correlate registry activity with file-system evidence, and
highlight suspicious entries that may require further malware or
incident response analysis.
Windows AutoRun Items artifacts can be found at the following
location:
/Windows/System32/config/SOFTWARE
The SOFTWARE registry hive is used by Windows to store system-wide
configuration data, including registry keys that may reference AutoRun
items and related startup components.
This section will discuss how to use ArtiFast to extract Windows AutoRun
Items artifacts from Windows machines' files and what kind of digital
forensics insights can be gained from the artifacts
After a case has been created and evidence has been added for the
investigation, at the Artifact Selection phase, the Windows AutoRun
Items artifact parser can be selected:
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via Artifact View or Timeline View, with indexing, filtering, and searching capabilities. Below is a detailed description of Windows AutoRun Items artifact in ArtiFast.
AutoRun Items
For more information or suggestions please contact: asli.beyhan@forensafe.com