๐Ÿ”’์ •๋ณด๋ณด์•ˆ/๋””์ง€ํ„ธ ํฌ๋ Œ์‹

๋””์ง€ํ„ธ ํฌ๋ Œ์‹ - ์ฆ๊ฑฐ ์ˆ˜์ง‘ ํŒŒ์ผ ๋ฐ ๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ฒฝ๋กœ

Janger 2024. 11. 13. 16:42
728x90

 
 

๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ํŒŒ์ผ(SAM, SOFTWARE, SYSTEM, SECURITY, NTUSER) ๊ฒฝ๋กœ

 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
C:\Windows\System32\config
C:\users\{์‚ฌ์šฉ์ž๋ช…}\NTUSER.DAT
 

 
 
 

์“ฐ๊ธฐ ๋ฐฉ์ง€

 
๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ฒฝ๋กœ: 
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > StorageDevicePolicies
WriteProtect ์ƒ์„ฑ(REG_DWORD) > ๊ฐ’์„ 1๋กœ ์„ค์ •
 
 
 

 
 

์—ฐ๊ฒฐ๋๋˜ USB์˜ ๋ณผ๋ฅจ๋ช…, ์‹œ๋ฆฌ์–ผ๋„˜๋ฒ„, ๋ณผ๋ฅจ GUID, ๋งˆ์ง€๋ง‰ ์—ฐ๊ฒฐ ํ•ด์ œ ์‹œ๊ฐ„, ์‚ฌ์šฉ์ž ๊ณ„์ • ์ •๋ณด ๋“ฑ

 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
Windows > inf > Setupapi.dev.log
 
 

USB Device Class ID(Vener Name + Product Name + Version)

 
 
๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ฒฝ๋กœ: 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR
-ํ™•์ธ๊ฐ€๋Šฅ ์ •๋ณด : USB์˜ Unique Instance ๋ฐ USBSTOR์˜ Subkey๋ฅผ ๋ถ„์„ํ•  ๊ฒฝ์šฐ ์ด๋ฏธ ํ•ด๋‹น ์‹œ์Šคํ…œ์—์„œ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ์‚ฌ์šฉํ–ˆ๋˜ USB ์žฅ์น˜๋ฅผ ํ™•์ธ
 
๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ฒฝ๋กœ: 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB
-ํ™•์ธ๊ฐ€๋Šฅ ์ •๋ณด : USBSTOR์—์„œ ํ™•์ธํ•œ USB์˜ Unique Instance๋ฅผ ์ฐพ์œผ๋ฉด USB์˜ ์ œ์กฐ์‚ฌ ์•„์ด๋””(VID)์™€ ์ œํ’ˆID(PID) ํ™•์ธ ๊ฐ€๋Šฅ
 
 
 
 

์—ฐ๊ฒฐํ–ˆ๋˜ USB์˜ ๋ณผ๋ฅจ ์ด๋ฆ„

 
๋ ˆ์ง€์ŠคํŠธ๋ฆฌ ๊ฒฝ๋กœ: 
HKEy_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows Portable Devices > Devices
 
 
 

 

๋„คํŠธ์›Œํฌ ์นด๋“œ(NIC) ์ •๋ณด

 
 
1) ๋ชจ๋ธ๋ช… ๋ฐ GUID ํ™•์ธ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\


2) DHCP IP Address ๋“ฑ ํ™•์ธ(๋ ˆ์ง€์ŠคํŠธ๋ฆฌ)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\

DhcpIPAddress : ์ปดํ“จํ„ฐ ํ• ๋‹น IP
DhcpNameServer : ISP ์ฃผ์†Œ (e.g. 168.126.63.1 168.126.63.2)
DhcpServer : ๊ฒŒ์ดํŠธ์›จ์ด ์ฃผ์†Œ
DhcpSubnetMask : ์„œ๋ธŒ๋„ท๋งˆ์Šคํฌ
LeaseObtainedTime : IP ์ž„๋Œ€(ํ• ๋‹น) ์ผ์‹œ



3) MAC Address ํ™•์ธ(๋ ˆ์ง€์ŠคํŠธ๋ฆฌ)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkSetup2\Interfaces\{GUID}\Kernel\
 
 

 

๊ณต์œ ๊ธฐ SSID & MAC Address ์ •๋ณด

 
 
1) ๋„คํŠธ์›Œํฌ์นด๋“œ ์ •๋ณด ํ™•์ธ(๋ ˆ์ง€์ŠคํŠธ๋ฆฌ)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

2) MAC Address ํ™•์ธ(๋ ˆ์ง€์ŠคํŠธ๋ฆฌ)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\
 
 

 

Jumplist (์ตœ๊ทผ ๋ฐ ์ž์ฃผ ์‚ฌ์šฉํ•œ ๋‚ด์—ญ ํ™•์ธ)

 
AutomaticDestinations: 
%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
 
CustomDestinations: 
%UserProfile%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
 
 

 
 

Thumbnail Cache & Icon Cache

 
ํŒŒ์ผ ๊ฒฝ๋กœ:
%UserProfile%\AppData\Local\Microsoft\Windows\Explorer
 
 

 

Spool ํŒŒ์ผ(ํ”„๋ฆฐํ„ฐ ์ •๋ณด)

 
 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
C:\Windows\System32\spool\PRINTERS
 
 

 

ํŒŒ์ผ ์‚ญ์ œ, ์ด๋™, ์œ„์น˜ ์ถ”์  ($LogFile, $UsnJrnl:$J, $MFT For NTFS Log Tracker)

 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
$UsnJrnl : C:\$Extend\$Usnjrnl:$J
$MFT : C:\$MFT
$LogFile : C:\$LogFile

 

 
 

Prefetch ์ •๋ณด(์‹คํ–‰ ํŒŒ์ผ ์ด๋ฆ„ ๊ฒฝ๋กœ, ์‹คํ–‰ ํšŸ์ˆ˜, ๋งˆ์ง€๋ง‰ ์‹คํ–‰ ์‹œ๊ฐ„, ์ตœ์ดˆ ์‹คํ–‰ ์‹œ๊ฐ„)

 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
%SystemRoot%\Prefetch
C:\WINDOWS\Prefetch
 

 

AmCache(๋ชจ๋“  ์‹คํ–‰ ํŒŒ์ผ์˜ ์ด๋ฆ„, ๊ฒฝ๋กœ, ํฌ๊ธฐ, ํ•ด์‹œ๊ฐ’ ํ™•์ธ)

 
ํŒŒ์ผ ๊ฒฝ๋กœ: 
%SystemDrive%\Windows\AppCompat\Programs\Amcache.hve
 
 
 
 

728x90