Keys, subkeys, and values are typically part of different hives, which are logical groups of the former and have a set of supporting files that encompass backups of their data. Registry hives and their supporting files as a useful additive for forensic analysts Values encompass data and they do not direct to other keys. Although additional cell types exist, it can be said that they act as pointers to other keys (subkeys) and values. The registry files in charge of the system and the applications on the user’s machine are located in the following path: Local Disk:Windowssystem32config, while the registry files in charge of data that is related to the user and his application settings are located in the Windows user profile directory called ntuser.dat and usrclass.dat.įurthermore, Figure 1 reveals that the binary structure of the registry is based on cells, the notable ones being keys and values. In reality, the registry is just a collection of files located on the user’s hard drive. Nonetheless, system admins have the capability of interacting directly with the registry via regedit.exe (the registry editor) that comes with all varieties of Windows.įigure 1: How the Windows registry looks like through the eyes of the registry editor, along with the registry’s nomenclature.įigure 1 gives the impression that the structure of the registry is the much familiar folder-based one, but this is merely an abstraction designed by the registry editor. Most of the time users do not interact with the registry in a straightforward manner, but they interact indirectly with it via installation routines, applications, and programs, such as Microsoft Installer files. The registry not only keeps records of OS and application settings but it also monitors and records user-specific data in order to structure and enhance the user’s experience during interactions with the system. It is a binary, hierarchical database and some of its contents include configuration settings and data for the OS and for the different applications relying on it. The registry holds configurations for Windows and is a substitute for the. The Windows registry is an invaluable source of forensic artifacts for all examiners and analysts. Registry What is the Windows registry and what is its structure? In the first part of this series we are going to discuss the Windows registry, its structure, backups and supporting files, examples from case files which reveal how instrumental the registry might be in prosecuting suspects, and some open source tools. In this paper, we will only be able to have a glimpse of this wealth of artifacts but its forensic significance will be immediately unveiled to us. Before we start, we have to mention that collecting evidence is not the sole challenge to examiners the challenge is to locate and identify, collect, preserve, and interpret the information whereas collecting it is only one piece of the puzzle.
0 kommentar(er)
