Registry Analysis

What is it?What does it contain?

Objectives

• Logical and physical structure of the Registry

• Format of Registry files• Examination of the Registry• Forensically important keys• Analyzing Registry information

The Registry

• Hierarchal database • Maintains configuration settings

– Applications– Hardware– Devices– Users

Registry Access

• Regedit.exe – A “GUI” interface to the Registry

• Native to XP and above• NT and 2000 has regedit.exe but with

limited capablities

Physical Structure

• Binary files• Stored in RAM and hard drive• Limited data types

File Locations

Registry Data Types

Series of nested arrays designed to store a list of resources

A list of resources used by a physical HW device

A list of HW resources used by a device driver

Logical Structure

• Highest Level• My Computer

• Contains Five Root Hives• Each Hive consists of

• Keys

• Each key has a set of • <Name Type Value> triples• Subkeys

Root Hives

• HKEY_USERS• Contains all the actively loaded user profiles for the

system

• HKEY_CURRENT_USER• Is the active, loaded user profile currently logged on

• HKEY_LOCAL_MACHINE• Contains configuration information for the system

both HW and SW

Root Hives (cont’d)

• HKEY_CURRENT_CONFIG• Contains the hardware profile the system uses at

startup

• HKEY_CLASSES_ROOT• Contains configuration information for which apps

open which files

Five Root Hives

HKEY_USERSUser Profiles

HKEY_CURRENT_USERLogged on user profile

Current User One of those listed in HKEY_USERS

HKEY_LOCAL_MACHINEHW and SW Configs

HKEY_CURRENT_CONFIGStartup Profile

HKEY_CLASSES_ROOTApplication to File Mapping

This hive is subclassed to HKCU\Software\ClassesHKLM \Software\Classes

Registry Cell Types

• Key cell• Key info, offsets to subkeys and LastWrite time

• Value cell• Holds a value/name and its data

• Subkey list cell• Series of subkey offsets

• Value list cell• Series of offsets to value cells

Registry StructureKeys Subkeys Values Type Data

Raw Registry File

Key Cell

Value Cell