![Page 1: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/1.jpg)
The Windows Registry as a forensic resource
Harlan Carvey
1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved.
doi:10.1016/j.diin.2005.07.003
![Page 2: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/2.jpg)
Purpose
• Discuss the structure of the Windows Registry.
• Methods for determining Registry ‘‘footprints’’ for arbitrary applications and user activity will be presented.
![Page 3: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/3.jpg)
The structure of the Registry
![Page 4: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/4.jpg)
• The Windows Registry1 is a hierarchal database used to store information about the system.
• The Registry takes the place of the configuration files (config.sys, autoexec.bat, win.ini, system.ini)
• The various hives or sections of the Registry that are persistent on the system can be found in files located in the %SYSTEMROOT%\system32\config folder.
![Page 5: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/5.jpg)
• Exception: The file that comprises the configuration settings for a specific user is found in that user’s ‘‘Documents and Settings’’ folder.
![Page 6: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/6.jpg)
The Registry as a log file
• ‘‘LastWrite’’ time: last modification time of a file.
• The forensic analyst may have a copy of the file, and the last modification time, but may not be able to determine what was changed in the file.
![Page 7: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/7.jpg)
What’s in the Registry
• 1.Autostart locations
• 2.User activity
![Page 8: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/8.jpg)
1. Autostart locations
• Used by a great many pieces of malware to remain persistent on the victim system.
• Example: HKEY_CURRENT_USER\Software\Micros-oft\Windows\CurrentVersion\Run
![Page 9: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/9.jpg)
User activity
![Page 10: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/10.jpg)
• MRU ( most recently used ) lists
• there are a number of values named for letters of the alphabet; in this case, from a through g. The MRUList entry maintains a list of which value has been most recently used.
![Page 11: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/11.jpg)
USB removable storage
![Page 12: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/12.jpg)
• The device ID for a specific device identified.
• It should be noted that not all USB thumb drives will have a serial number.
![Page 13: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/13.jpg)
Wireless SSIDs
• SSIDs (service set identifiers)
• This shows you which wireless networks you’ve connected to, and if you travel and make use of the ubiquitous wireless hotspots, you’ll see quite a few entries there.
![Page 14: The Windows Registry as a forensic resource Harlan Carvey 1742-2876/$ - see front matter a 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2005.07.003](https://reader035.vdocument.in/reader035/viewer/2022062517/56649f1d5503460f94c341b3/html5/thumbnails/14.jpg)
Summary
• The structure of the Registry