Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESSDATA® FORENSICS Windows 7 Registry Introduction

Published byGriffin Griffin Modified over 8 years ago

Similar presentations

Presentation on theme: "ACCESSDATA® FORENSICS Windows 7 Registry Introduction"— Presentation transcript:

1 ACCESSDATA® FORENSICS Windows 7 Registry Introduction
Forensic Analysis Incident Response eDiscovery Information Assurance

2 Module Objectives Defining the Windows Registry
Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting

3 What is the Registry? Microsoft definition:
“…a central hierarchical database used … to store information that is necessary to configure the system for one or more users, applications and hardware devices.”

4 Forensic Benefits of the Registry
MRUs Typed URLs Installed apps Installed devices System time settings Registered user information Passwords and password hashes Internet search queries and form data Network setting and connection information Date and Time information of Registry key updates

5 Hives – Symbolic Links

6 Hive Files in the File System
C:\Boot  HARDWARE built on boot C:\Windows\System32\config C:\Users\%%%%\ C:\Users\%%%%\AppData\Local\Microsoft\Windows BCD started in Vista. Now Vista / Windows 2008 Server according to MS Tech Net article: Now in Windows 7, located in 100 MB System Reserved Partition

7 Registry Editor Navigation
Value Name Data Type Value data Hive Key Sub Key Value

8 Values Values are associated with subkeys in name-data pairs
Stored independently from their subkeys Name Data

9 Value Types REG_SZ String Value Human readable REG_BINARY Binary Value
Machine readable REG_DWORD Number 4 bytes Integer / Signed Integer REG_EXPAND_SZ Takes a variable REG_MULTI_SZ List of values

10 Registry Viewer navigates by file rather than by hive
Registry Viewer Navigation C:\WINDOWS\system32\config HKCR File System HKCU HKLM Registry HKU HKCC Registry Viewer navigates by file rather than by hive

11 AccessData Navigation
C:\Users\<username>\NTUSER.DAT

12 Viewing Registry Properties
RID – Offset 48-49

13 Accessing Live Registry Files
Registry Viewer is unable to load active Reg. Files Windows API’s protects registry files while the system is up and running.

14 C:\Windows\System32\config\RegBack
Accessing Registry Files Live System – Regedit Export Live System – FTK Imager Live System – RegBack Dead Box Image – RegBack Dead Box Image – FTK Imager Dead Box Image – FTK Vista – 10 Days Win7 – 14 Days C:\Windows\System32\config\RegBack

15 Obtaining Registry Files

16 Applications Using the Registry
During application use the Registry will be updated Some applications do not update until exited Be mindful when seizing a live system

17 Searching the Registry
Registry Viewer has three types of searches Quick Find Advanced Find Search by Last Written Date

18 Searches in the selected key and its children
Quick Find Search Searches in the selected key and its children

19 Advanced Find Search Select search type

20 Searching by Date

21 Registry Reports Reports in html Display key properties

22 Summary Reports Allows addition of single values
Takes wildcards on both keys and values Becomes a template for other Registry files Summary reports are a two step process: Create it with Define Run it with Manage

23 Summary Reports

24 Module Review Defining the Windows Registry
Forensic benefits of the Registry The Registry structure Registry Navigation Obtaining Registry Files Registry Search and Reporting

25

Download ppt "ACCESSDATA® FORENSICS Windows 7 Registry Introduction"

Similar presentations

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.

Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Windows Under the Hood.

Windows Under the Hood.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.

Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.

Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.
The Windows Registry Adapted from

The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?

Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?

Registry Structure What is it? What does it contain?
Chapter 3: Configuring the Windows Vista Environment.

Chapter 3: Configuring the Windows Vista Environment.
Application Repackaging - Naushad Ali T Doddamani.

Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
A+ Guide to Managing and Maintaining Your PC, 7e

A+ Guide to Managing and Maintaining Your PC, 7e
Configuring the Windows 2000 Environment. Overview Configuring and Managing Hardware Configuring Display Options Configuring System Settings Configuring.

Configuring the Windows 2000 Environment. Overview Configuring and Managing Hardware Configuring Display Options Configuring System Settings Configuring.
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e Chapter 5 Optimizing Windows.

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e Chapter 5 Optimizing Windows.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.

Similar presentations

Ads by Google