minor additions to registry

forensics/windows_registry.md

@@ -25,17 +25,19 @@
 * `C:\Windows\AppCompat\Programs\Amcache.hve`
 
 ### Transaction Logs
-* Saved inside the same directory as the hive which was altered.
+* Transaction `<name of registry hive>.LOG` of the registry hive
+* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
 
 ### Backups
 * Saved every ten days
+* Look out for recently deleted or modified keys
 * `C:\Windows\System32\Config\RegBack`
 
 ## Data Acquisition
 * Tools
-    * `Autopsy`
-    * `FTK Imager`, does not copy `Amcache.hve`
-    * `KAPE`, preserves directory tree
+    * [Autopsy](https://www.autopsy.com/)
+    * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
+    * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
     * `Registry Viewer`
     * `Zimmerman's Registry Explorer`, uses transaction logs as well
         * ` AppCompatCache Parser`
@@ -97,6 +99,7 @@
 * Use `AppCompatCacheParser.exe --csv <path to save output> -f <path to SYSTEM hive for data parsing> -c <control set to parse>`
 
 ### AmCache
+* Information about recently run applications on the system
 * `C:\Windows\appcompat\Programs\Amcache.hve`
 * Last executed app -> `Amcache.hve\Root\File\{Volume GUID}\`
 * Saves SHA1 of the last executed app