Windows Registry tcp ip forensics

Does anyone know of way to find dns entries and/or ip connection history within offline registry files?

I am try to find some information on someone that gained remote access to a computer via social engineering and caused some considerable damage.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
assuming only the registry hive then probably couple of areas to check is the
a) s/w last ran (what types of files or applications have been accessed on a particular system),
b) wireless connections (determine if a user connected to specific wireless access point, the timeframe, and their IP address they were assigned by the DHCP server),
c) LAN PC connected (determining whether or not a user was connected to certain computers or belonged to a specific LAN),
d) USB - to see USB device whether or not has been connected to other Windows systems and may lead where other possible area this device is reused etc (data exfiltration etc ),
e) Web trails (use of p2p and browser)

Nice summary in pdf here too

Some useful tools such as Regdecoder and Regripper
Patrick BogersConnect With a Mentor Datacenter platform engineer LindowsCommented:
Place to start is event viewer -> security and look for remote connections which come from an outside ip address.
But how to find data about altering offline registry files sounds like a no go unless you have captured all network traffic during this attack.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.