Skip to end of metadata
Go to start of metadata

Introduction

The Microsoft Windows Registry is a system-defined database in which applications and system components store and retrieve configuration data. The data stored in the Registry varies according to the version of Microsoft Windows Operating System. [1

The Registry is an invaluable source of evidence for forensic examiners.  During this course, you will be pointed in the direction of the Registry as the source of information about the configuration of the target computer systems we will be examining.  Certain Registry settings are vital when dealing with browser data, and a failure to establish these settings at an early point in your investigation could lead to fundamental errors being made in your findings.  Accordingly, we need to know what the Registry is; where it is found; and how we can get information from it.

The Registry is best thought of as a hierarchical database that is constantly updated by the Windows Operating Systems as we use them.  It is actually the name given to a collection of system files (or hives) stored on the computer which work like a database to store Operating System configuration, application and user data.  It holds information such as how we interact with the computer; how programs interact with both the computer and the user; and core settings for how the computer functions.  The Registry hives are binary in nature.

 

Forensic Examination of the Registry

As forensic examiners, we will usually be examining Registry files which have been extracted from a target computer, allowing us to use an off-line Registry viewer to establish what the settings are on the target computer. 

Registry files can be divided broadly into two main categories:

  • System related
  • User related

For Microsoft Windows NT based systems, the main files are:

 

Name of HiveTypical Data
SAM

Users and Groups

SECURITY

Group Policy Objects \ Domain user data 

SOFTWARE

Global software settings

SYSTEM

System related data


The standard location for these files is:

System Registry Hives location
C:\Windows\System32\Config\

 

For user related settings, each user account has their own Registry file located in the root of their profile called:

 

Name of HiveTypical Data
NTUSER.DAT

User activity and preferences

 

The standard locations for this file are:

Microsoft Windows Vista / 7
C:\Users\{Name}\
Microsoft Windows XP
C:\Documents & Settings\{Name}\ 

 

All of these files work together to create the database that constitutes the Registry once the computer is started and a user has logged in.

To access the live Registry of your machine, select the Start button and then type in regedit (which is the name of the executable file which launches the Registry editor) and press the Enter key.

 

Figure 2

 

This will open up a window where you will see an application similar to the following:

 

Figure 3

 

The Registry Hives are on the left hand side, with the 'Keys' and 'Sub-Keys' arranged in a folder structure underneath them.  On the right you will find the 'Values' associated with those Keys and Sub-Keys.  The Registry is a huge and complex topic, and this course will cover only keys and values which are essential to examining browser data.  However, if you are not already familiar with examining the Registry, we recommend that you take some time exploring the Registry and becoming used to navigating through its structures. 

 

Please be careful when using the Registry Editor on a live system.  Some values are critical to the correct operation of the system; if you inadvertantly make a change, you could render your system unstable or unusable.  Always make a backup copy of the Registry hives prior to making any modifications.

 
References

  1.  Microsoft Windows Registry