The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003.

Slides:



Advertisements
Similar presentations
Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Advertisements

D. Bonacci. Where are Your Files? AISD employees save their work on a server and the files are backed up regularly – Your files are not private. – They.
Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
Registry Analysis What is it? What does it contain?
Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.
Introduction to Computer Essentials. Information Systems 1. People 2. Procedures 3. Software 4. Hardware 5. Data.
Registry Structure What is it? What does it contain?
MCT260-Operating Systems I Operating Systems I Managing Your System.
Network File Storage Project James Madison University Information Technology February 2011.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Site B Site A SANSANSANSAN.
This is a Flash Drive. It is also known as a: Key Drive, Thumb Drive, Jump Drive, USB Drive, Pen Drive.
Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
OS and Application Files BACS 371 Computer Forensics.
Introduction to Computers I A presentation of the Elmhurst Public Library.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
COMP1321 Digital Infrastructure Richard Henson February 2012.
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
Windows 95 requirements l 80386DX or higher machine l at least 4 MB of RAM (8 MB recommended) l mouse l VGA or better monitor l hard drive with at least.
SIR SONS IN RETIREMENT Computer User Group.
Practical PC, 7th Edition Chapter 5: Organizing Files and Folders
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
1 Chapter Overview Configuring and Troubleshooting the Display Configuring Power Management Configuring Operating System Settings Configuring and Troubleshooting.
Files and Folders What’s the difference?. What are files ? Collections of digital information created on or for computers click the mouse or press the.
GO! All In One 2/E By: Shelley Gaskin, Nancy Graviett, Debra Geoghan Chapter 2 Getting Started with Windows 8.1 Copyright © 2015 Pearson Education, Inc.
Week 7 Objectives Installing a DHCP Server Role Configuring DHCP Scopes Managing a DHCP Database Securing and Monitoring DHCP.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 12 Supporting Windows 9x.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
Operating System Basics section 6A. This lesson includes the following sections: Running Programs Managing Files Managing Hardware Utility Software.
COMP1321 Digital Infrastructures Richard Henson November 2013.
File System Interface. File Concept Access Methods Directory Structure File-System Mounting File Sharing (skip)‏ File Protection.
Week #3: Configuring and Troubleshooting DHCP
Section 9: Configuring Roaming Profiles and Folder Redirection Managing User Profiles Configuring Folder Redirection Using Folder Redirection and Roaming.
Overview Managing a DHCP Database Monitoring DHCP
Lesson 3 Data Storage. Objectives Define data storage Identify the difference between short-term and long-term data storage Understand cloud storage and.
Lesson 3: Migrating and Configuring User Data
IT Essentials 1 Chapter 5 Windows 9x Operating Systems.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
 Online document storage and file sharing.  Access files from anywhere, store them free, and securely share them.  Great back up plan for storing those.
Cscape EnvisionFX Horner APG, LLC March 7, EnvisionFX - What Does it Do? Graphical interface allows easy transfers of data to and from the PC and.
FILE MANAGEMENT Computer Basics 1.3. FILE EXTENSIONS.txt.pdf.jpg.bmp.png.zip.wav.mp3.doc.docx.xls.xlsx.ppt.pptx.accdb.
Computer Literacy BASICS: A Comprehensive Guide to IC 3, 5 th Edition Lesson 3 Windows File Management 1 Morrison / Wells / Ruffolo.
CMPF124 Personal Productivity with Information Technology Chapter 2 – Part 3 Introduction To Windows Operating Systems Windows Accessories CMPF 112 : COMPUTING.
COMPUTER SYSTEM TOOLS. SCANDISK MICROSOFT UTILITY PURCHASED FROM NORTON, WHICH IS NOW SYMANTEC; INCLUDED WITH MS-DOS 6.2 AND ON AS WELL AS ALL VERSIONS.
Week1: Introduction to Computer Networks. Copyright © 2012 Cengage Learning. All rights reserved.2 Objectives 2 Describe basic computer components and.
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
McGraw-Hill/Irwin The I-Series © 2002 The McGraw-Hill Companies, Inc. All rights reserved. Windows XP Network Services Chapter 8 - Objectives.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Hands-On Microsoft Windows Server Implementing User Profiles A local user profile is automatically created at the local computer when you log on.
Command Prompt Chapter 12 Understanding Memory, the Boot Process, and System Configuration Richard Goldman February 7, 2000.
FORENSICS ANALYSIS OF THE REGISTRY OF WINDOWS 7 “SYSTEM ANALYSIS” 시스템 포렌식 실습 NURHALIMATUSADIAH SYARA 시스템 포렌식 실습.
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64
Places all the parts of your file in one place
Lesson 22: Configuring System Recovery
How to use Library Kindle Books
How to use Library Kindle Books
BASICS 1 Windows XP.
Computer an Electronic Filing Cabinet
4.6 Attached device analysis
Lesson 3 Data Storage.
User Profiles.
Windows Registry: Introduction
CET4860 Mark Pollitt Associate Professor
NSC IT Services’ Handy onedrivemapper Tool
Presentation transcript:

The Windows Registry as a forensic resource Harlan Carvey /$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi: /j.diin

Purpose Discuss the structure of the Windows Registry. Methods for determining Registry ‘‘footprints’’ for arbitrary applications and user activity will be presented.

The structure of the Registry

The Windows Registry1 is a hierarchal database used to store information about the system. The Registry takes the place of the configuration files (config.sys, autoexec.bat, win.ini, system.ini) The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT%\system32\config folder.

Exception: The file that comprises the configuration settings for a specific user is found in that user’s ‘‘Documents and Settings’’ folder.

The Registry as a log file ‘‘LastWrite’’ time: last modification time of a file. The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.

What’s in the Registry 1.Autostart locations 2.User activity

1. Autostart locations Used by a great many pieces of malware to remain persistent on the victim system. Example: HKEY_CURRENT_USER\Software\Micros -oft\Windows\CurrentVersion\Run

User activity

MRU ( most recently used ) lists there are a number of values named for letters of the alphabet; in this case, from a through g. The MRUList entry maintains a list of which value has been most recently used.

USB removable storage

The device ID for a specific device identified. It should be noted that not all USB thumb drives will have a serial number.

Wireless SSIDs SSIDs (service set identifiers) This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there.

Summary The structure of the Registry

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.