Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003.

Published byShawn McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003."— Presentation transcript:

1 The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003

2 Purpose Discuss the structure of the Windows Registry. Methods for determining Registry ‘‘footprints’’ for arbitrary applications and user activity will be presented.

3 The structure of the Registry

4 The Windows Registry1 is a hierarchal database used to store information about the system. The Registry takes the place of the configuration files (config.sys, autoexec.bat, win.ini, system.ini) The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT%\system32\config folder.

5 Exception: The file that comprises the configuration settings for a specific user is found in that user’s ‘‘Documents and Settings’’ folder.

6 The Registry as a log file ‘‘LastWrite’’ time: last modification time of a file. The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.

7 What’s in the Registry 1.Autostart locations 2.User activity

8 1. Autostart locations Used by a great many pieces of malware to remain persistent on the victim system. Example: HKEY_CURRENT_USER\Software\Micros -oft\Windows\CurrentVersion\Run

9 User activity

10 MRU ( most recently used ) lists there are a number of values named for letters of the alphabet; in this case, from a through g. The MRUList entry maintains a list of which value has been most recently used.

11 USB removable storage

12 The device ID for a specific device identified. It should be noted that not all USB thumb drives will have a serial number.

13 Wireless SSIDs SSIDs (service set identifiers) This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there.

14 Summary The structure of the Registry

Download ppt "The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003."

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
D. Bonacci. Where are Your Files? AISD employees save their work on a server and the files are backed up regularly – Your files are not private. – They.

D. Bonacci. Where are Your Files? AISD employees save their work on a server and the files are backed up regularly – Your files are not private. – They.
Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.

Drives, Directories and Files. A computer file is a block of arbitrary information, or resource for storing information. Computer files can be considered.
Return to the Office 2007 web page Lesson 3: Managing Computer Files.

Return to the Office 2007 web page Lesson 3: Managing Computer Files.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.

Computer Forensic Tools. Computer Forensics: A Brief Overview Scientific process of preserving, identifying, extracting, documenting, and interpreting.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.

Registry Analysis Using regedit.exe –System Information –Autostart locations –USB Removable Storage Devices –Mounted Devices –Finding Users –User Activity.
Introduction to Computer Essentials. Information Systems 1. People 2. Procedures 3. Software 4. Hardware 5. Data.

Introduction to Computer Essentials. Information Systems 1. People 2. Procedures 3. Software 4. Hardware 5. Data.
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
MCT260-Operating Systems I Operating Systems I Managing Your System.

MCT260-Operating Systems I Operating Systems I Managing Your System.
Network File Storage Project James Madison University Information Technology February 2011.

Network File Storage Project James Madison University Information Technology February 2011.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Site B Site A SANSANSANSAN.

Site B Site A SANSANSANSAN.
This is a Flash Drive. It is also known as a: Key Drive, Thumb Drive, Jump Drive, USB Drive, Pen Drive.

This is a Flash Drive. It is also known as a: Key Drive, Thumb Drive, Jump Drive, USB Drive, Pen Drive.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Introduction to Computers I A presentation of the Elmhurst Public Library.

Introduction to Computers I A presentation of the Elmhurst Public Library.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Similar presentations

Ads by Google