A digital forensic investigator examines a Windows system to identify suspicious activity related to a recent cyber incident. She has collected volatile and non-volatile registry hives for analysis. The investigator has noticed modifications in a user's profile settings, including changes in desktop wallpaper and screen colors. Which hive and component cells in the registry should she examine more closely for further evidence of user-specific activity?
For examining user-specific activity, such as changes in desktop wallpaper and screen colors, the investigator should focus on HKEY_CURRENT_USER. This hive contains configuration information related to the currently logged-on user, including user profile settings. Key cells and value list cells within this hive store the necessary data about user-specific preferences and modifications.
HKEY_CURRENT_USER, abbreviated as HKCU, contains the configuration information related to the user currently logged-on. This hive controls the user-level settings associated with user profile such as desktop wallpaper, screen colors, display settings, etc.
CHFIv11 page 530: "such as desktop wallpaper...settings"