Download presentation
Published byGriffin Griffin Modified over 9 years ago
1
ACCESSDATA® FORENSICS Windows 7 Registry Introduction
Forensic Analysis Incident Response eDiscovery Information Assurance
2
Module Objectives Defining the Windows Registry
Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting
3
What is the Registry? Microsoft definition:
“…a central hierarchical database used … to store information that is necessary to configure the system for one or more users, applications and hardware devices.”
4
Forensic Benefits of the Registry
MRUs Typed URLs Installed apps Installed devices System time settings Registered user information Passwords and password hashes Internet search queries and form data Network setting and connection information Date and Time information of Registry key updates
5
Hives – Symbolic Links
6
Hive Files in the File System
C:\Boot HARDWARE built on boot C:\Windows\System32\config C:\Users\%%%%\ C:\Users\%%%%\AppData\Local\Microsoft\Windows BCD started in Vista. Now Vista / Windows 2008 Server according to MS Tech Net article: Now in Windows 7, located in 100 MB System Reserved Partition
7
Registry Editor Navigation
Value Name Data Type Value data Hive Key Sub Key Value
8
Values Values are associated with subkeys in name-data pairs
Stored independently from their subkeys Name Data
9
Value Types REG_SZ String Value Human readable REG_BINARY Binary Value
Machine readable REG_DWORD Number 4 bytes Integer / Signed Integer REG_EXPAND_SZ Takes a variable REG_MULTI_SZ List of values
10
Registry Viewer navigates by file rather than by hive
Registry Viewer Navigation C:\WINDOWS\system32\config HKCR File System HKCU HKLM Registry HKU HKCC Registry Viewer navigates by file rather than by hive
11
AccessData Navigation
C:\Users\<username>\NTUSER.DAT
12
Viewing Registry Properties
RID – Offset 48-49
13
Accessing Live Registry Files
Registry Viewer is unable to load active Reg. Files Windows API’s protects registry files while the system is up and running.
14
C:\Windows\System32\config\RegBack
Accessing Registry Files Live System – Regedit Export Live System – FTK Imager Live System – RegBack Dead Box Image – RegBack Dead Box Image – FTK Imager Dead Box Image – FTK Vista – 10 Days Win7 – 14 Days C:\Windows\System32\config\RegBack
15
Obtaining Registry Files
16
Applications Using the Registry
During application use the Registry will be updated Some applications do not update until exited Be mindful when seizing a live system
17
Searching the Registry
Registry Viewer has three types of searches Quick Find Advanced Find Search by Last Written Date
18
Searches in the selected key and its children
Quick Find Search Searches in the selected key and its children
19
Advanced Find Search Select search type
20
Searching by Date
21
Registry Reports Reports in html Display key properties
22
Summary Reports Allows addition of single values
Takes wildcards on both keys and values Becomes a template for other Registry files Summary reports are a two step process: Create it with Define Run it with Manage
23
Summary Reports
24
Module Review Defining the Windows Registry
Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.