feat: prepare RegSeek v2.0.0 release

README.md

@@ -2,37 +2,53 @@
 
 > Advanced Windows Registry forensics reference and search engine
 
-RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis.
-
-# Features
-
-- Extensive collection of Windows Registry forensics artifacts
-- Multi-criteria search with filters for category, criticality, investigation type, and more
-- Filter by Windows version, registry hive, criticality level, and analysis tools
-- Each artifact includes forensic value, data structure, examples, and analysis tools
-- Artifacts tagged by investigation scenarios (malware analysis, data exfiltration, etc.)
-
-# Categories
-
-- **Execution**: Program execution tracking and artifacts
-- **Network**: Network connections, shares, and communication
-- **Persistence**: Autostart locations and persistence mechanisms
-- **User Activity**: User behavior and document access patterns
-- **System**: System configuration and installed software
-- **USB/Storage**: USB device history and storage artifacts
-- **Security**: Security settings and access controls
-- **Browser**: Web browser artifacts and configurations
-- **Malware**: Malware-specific registry artifacts
-- **Communication**: Messaging and communication applications
-
-# Advanced Search
-
-- **Category**: Filter by artifact category
-- **Criticality**: High/Medium/Low priority filtering
-- **Investigation Type**: Filter by investigation scenario
-- **Windows Version**: Version-specific artifacts
-- **Registry Hive**: HKLM, HKCU, HKCR, etc.
-- **Analysis Tools**: Artifacts with or without tools
+## What is RegSeek?
+
+RegSeek is a comprehensive reference tool for Windows Registry forensics artifacts. It provides detailed information about registry locations that are valuable for digital forensics investigations, incident response, and malware analysis including:
+
+- **Forensic limitations** and what artifacts **cannot prove**
+- **Correlation requirements** for definitive conclusions  
+- **Analysis tools** and investigation techniques
+- **Real-world examples** and data structures
+- **Windows version compatibility**
+
+## Artifact Categories
+
+| Category | Count | Key Use Cases |
+|----------|-------|---------------|
+| **Program Execution** | 15+ | Application usage, malware execution tracking |
+| **Browser Activity** | 8+ | Web browsing history, security zone configurations |
+| **User Behavior** | 20+ | Application usage patterns, cloud storage sync |
+| **File Operations** | 12+ | Recent documents, file associations, jump lists |
+| **External Storage** | 5+ | USB device history, removable media tracking |
+| **Persistence Methods** | 10+ | Autostart locations, service configurations |
+| **System Modifications** | 15+ | Windows settings, security configurations |
+| **Network Infrastructure** | 12+ | Network connections, DNS configurations |
+| **Remote Access** | 8+ | RDP settings, VPN configurations |
+| **Security Monitoring** | 10+ | Windows Defender, audit configurations |
+| **Communication Apps** | 7+ | Teams, Discord, email client settings |
+| **Virtualization** | 6+ | VMware, VirtualBox, container settings |
+| **Authentication** | 4+ | Credential providers, account information |
+
+## Key Features
+
+### **Advanced Search & Filtering**
+- Full-text search across artifact titles, descriptions, and registry paths
+- Filter by category, criticality level, Windows version, and registry hive
+- Investigation type filtering (incident response, malware analysis, etc.)
+
+### **Forensic Intelligence**
+- **Limitations warnings**: What each artifact CANNOT prove
+- **Correlation requirements**: Additional artifacts needed for conclusions
+- **Criticality levels**: High/Medium/Low priority classifications
+- **Tool recommendations**: Specific analysis tools for each artifact
+
+### **Investigation-Focused**
+- Organized by forensic investigation types
+- Real-world examples and data structures
+- Windows version compatibility information
+- Direct links to analysis tools and references
+
 
 # Quick Start
 
@@ -76,8 +92,15 @@ Visit the deployed site: [https://regseek.github.io/](https://regseek.github.io/
 
 # Contributing
 
-We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) for details.
+We welcome contributions from the digital forensics community! See our [Contributing Guidelines](CONTRIBUTING.md) for details on:
+
+- Adding new registry artifacts
+- Improving existing documentation
+- Suggesting new features or categories
+- Reporting bugs or inaccuracies
 
 # License
 
-GPL-3.0 license - see [LICENSE](LICENSE) file for details.
+This project is licensed under GPL-3.0 license - see [LICENSE](LICENSE) file for details.
+
+*RegSeek is a comprehensive Windows Registry forensics reference tool designed to assist digital forensics professionals, incident response teams, and cybersecurity analysts in their investigations.*

artifacts/_template.yml

@@ -2,7 +2,10 @@
 # File naming: use_lowercase_with_underscore.yml
 
 title: "Artifact Display Name"
-category: "execution|network|usb|user-activity|persistence|system|security|cloud|browser|malware|mobile|virtualization|communication"
+category: "program-execution|browser-activity|file-operations|user-behavior|external-storage|persistence-methods|system-modifications|network-infrastructure|remote-access|security-monitoring|communication-apps|virtualization|authentication
+
+# Top 8 categories appear in quick filters: program-execution, browser-activity, file-operations, user-behavior, persistence-methods, system-modifications, network-infrastructure, security-monitoring
+# All 13 categories available in advanced search
 
 description: "Brief description of what this artifact reveals (focus on forensic value)"
 
@@ -38,6 +41,21 @@ details:
     - name: "Another Tool"
       description: "Alternative analysis method"
 
+# CRITICAL: Anti-checklist methodology sections
+limitations:
+  - "Specific things this artifact cannot determine"
+  - "Common false positives or misinterpretations"
+  - "What this artifact does NOT prove"
+
+correlation:
+  required_for_definitive_conclusions:
+    - "List other artifacts needed to prove what people assume this one proves"
+    - "Required evidence for court presentation"
+
+  strengthens_evidence:
+    - "Artifacts that support but don't prove the same conclusions"
+    - "Supporting evidence that adds context"
+
 metadata:
   windows_versions:
     - "Windows 10"
@@ -53,13 +71,25 @@ metadata:
 
   criticality: "high|medium|low"
 
-  # Investigation types where this is particularly useful
+  # Investigation types where this is particularly useful (choose multiple from 14 types)
   investigation_types:
-    - "malware-analysis"
-    - "data-exfiltration"
-    - "insider-threat"
-    - "incident-response"
-    - "timeline-analysis"
+    # Investigation Phases (how you're investigating):
+    - "incident-response"          # Emergency response situations
+    - "malware-analysis"           # Analyzing malicious software
+    - "timeline-analysis"          # Reconstructing sequence of events
+    - "behavioral-analysis"        # Understanding user/system behavior
+    - "insider-threat"             # Internal threat investigations
+
+    # Attack Techniques (what the attacker did):
+    - "initial-access"             # How attackers got in
+    - "program-execution"          # What programs were run
+    - "persistence-analysis"       # How threats maintain presence
+    - "privilege-escalation"       # Elevation of privileges
+    - "credential-theft"           # Credential harvesting/dumping
+    - "lateral-movement"           # Movement across network
+    - "remote-access"              # Remote access tools/methods
+    - "data-exfiltration"          # Data theft and staging
+    - "anti-forensics"             # Evidence destruction/hiding
 
   tags:
     - "specific-keyword"

artifacts/security/credential_providers.yml → artifacts/authentication/credential_providers.yml

@@ -1,5 +1,5 @@
 title: "Credential Providers and Authentication Extensions"
-category: "security"
+category: "authentication"
 description: "Windows credential provider registration, custom authentication modules, and logon extension configuration"
 
 paths:
@@ -10,24 +10,19 @@ paths:
 
 details:
   what: |
-    Credential Providers extend Windows authentication infrastructure with custom logon methods,
-    smart card integration, biometric authentication, multi-factor authentication, and enterprise
-    single sign-on solutions. Registry manages provider registration, authentication filters,
-    Pre-Logon Access Provider (PLAP) configuration, and credential enumeration settings for
-    comprehensive authentication ecosystem management and security enhancement.
+    Credential Providers extend Windows authentication infrastructure with custom logon methods, 
+    smart card integration, biometric authentication, multi-factor authentication, and enterprise 
+    single sign-on solutions. Registry manages provider registration and authentication filters.
 
   forensic_value: |
-    Critical for detecting unauthorized authentication modifications, malicious credential
-    harvesting tools, and sophisticated attack techniques targeting authentication infrastructure.
-    Shows evidence of credential provider abuse for password interception, authentication bypass
-    attempts, and unauthorized access to authentication systems. Essential for analyzing advanced
-    persistent threats that target authentication mechanisms and credential theft operations.
+    Critical for detecting unauthorized authentication modifications, malicious credential harvesting 
+    tools, and sophisticated attack techniques targeting authentication infrastructure. Shows evidence 
+    of credential provider abuse for password interception and authentication bypass attempts.
 
   structure: |
-    Credential Providers registry contains CLSID-based entries referencing COM objects that
-    implement authentication interfaces. Each provider includes DLL paths, capability flags,
-    trust levels, and configuration parameters. Provider Filters control authentication flow,
-    while PLAP Providers manage pre-logon network connectivity for domain authentication scenarios.
+    Credential Providers registry contains CLSID-based entries referencing COM objects that implement 
+    authentication interfaces. Each provider includes DLL paths, capability flags, trust levels, and 
+    configuration parameters. Provider Filters control authentication flow.
 
   examples:
     - "Credential Providers\\\\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}: Password Credential Provider"
@@ -53,6 +48,28 @@ details:
     - name: "Authentication Provider Scanner"
       description: "Specialized tools for credential provider security assessment"
 
+limitations:
+  - "Credential provider registration does NOT prove malicious credential harvesting occurred"
+  - "Provider installation may be legitimate enterprise authentication enhancement"
+  - "Custom providers don't indicate successful password interception"
+  - "Authentication filter modifications may be for legitimate security improvements"
+  - "Provider capability flags don't prove actual authentication usage"
+  - "DLL registration doesn't indicate active credential collection"
+
+correlation:
+  required_for_definitive_credential_theft_proof:
+    - "Event logs showing successful authentications using custom providers"
+    - "Network traffic logs showing credential transmission from compromised system"
+    - "File system artifacts showing harvested credentials stored on disk"
+    - "Process execution logs showing malicious provider DLL loading"
+    - "Memory dumps containing harvested credentials from provider processes"
+
+  strengthens_evidence:
+    - "Registry changes showing provider installation during suspicious timeframes"
+    - "File modifications in provider DLL locations with malware signatures"
+    - "Authentication attempts correlating with custom provider usage"
+    - "Network connections from processes using custom authentication providers"
+
 metadata:
   windows_versions:
     - "Windows Vista"
@@ -68,7 +85,6 @@ metadata:
     - "Windows Server 2022"
 
   introduced: "Windows Vista"
-
   criticality: "high"
 
   investigation_types:
@@ -77,6 +93,7 @@ metadata:
     - "malware-analysis"
     - "incident-response"
     - "behavioral-analysis"
+    - "credential-theft"
 
   tags:
     - "authentication"
@@ -122,5 +139,5 @@ author:
 
 contribution:
   date_added: "2025-01-15"
-  last_updated: "2025-01-15"
-  version: "2.0"
+  last_updated: "2025-06-13"
+  version: "3.0"