Advanced digital

forensic analysis
of the windows
registry

REGISTRY
WINDOWS

FORENSICS
OBEJECTIVES!
CHAPTER 1 CHAPTER 2
REGISTRY FILE ACCESSDATA
ACQUISITION FTK IMAGER

CHAPTER 3 PROJECT 4

REGISTRY ISSUES IN REGISTRY

STRUCTURE ANALYSIS
INTRODUCTION
The Windows Registry is a core component of the
Windows operating systems, and it maintains a considerable
amount of configuration information about the system. In
addition, the Registry maintains historical information
about user activity; in order to provide the user with a
“better”, more personalized experience, the Registry
maintains details about applications installed and opened,
as well as window positions and sizes. This information is
maintained within the Registry in a manner similar to a log
file.
 Computer forensics is the process of methodically
examining computer media (hard disks, diskettes, tapes,
etc.) for evidence. When considering computer forensics,
registry forensics plays a huge role because of the
amount of the data that is stored on the registry and the
importance of the stored data. The extraction of this
data is therefore highly important when investigating.
Due to the limitation of tools that can extract
forensically valuable data from registry files,
investigators have to extract it manually. Because of the
registry file format (.REG), extracting information is a
challenging task for investigators. Registry files normally
store data under unique values called “Keys”.
Registry File The Windows registry is a central

Acquisition hierarchical database intended to store

information that is necessary to configure
the system for one or more users,
applications or hardware devices. There are
four main registry files: System, Software,
Security and SAM registry. Each registry file
contains different information under
keywords. The structure of the Windows
registry is similar to file system directories.
Registry files are located at the
“C:drive/windows/system32/config/” file
path. Each registry contains lots of
forensically valuable information.
 Investigating the Windows registry is quite a difficult task,
because in order to investigate it properly, the registry
needs to be extracted from the computer. Extraction of the
registry file is not just a normal copy and paste function.
Since registry files store all the configuration information of
the computer, it automatically updates every second. In
order to extract Windows registry files from the computer,
investigators have to use third-party software such as FTK
Imager , EnCase Forensic or similar tools. FTK Imager is oneo
fthe most widely used tool for this task. Apart from using
third-party software, some reasearch has been carried out to
demonstrate how to extract registry information from
Windows CE memory images and volatile memory (RAM)
 ACCESSDATA FTK IMAGER
AccessData FTK (Forensic Tool Kit) Imager is

the
most widely used standalone disk imaging program
to extract the Windows registry from computer.
Access Data FTK Imager 3.2.0.0 basically scans the
hard drive in order to identify various pieces of
information. This tool can be used for a variety of
processes when extracting the Windows registry.
 ACCESSDATA FTK
IMAGER
Physical Drive – Extract from a hard
drive
Logical Drive – Extract from a partition
Image File – Extract from an image file
Contents of a Folder – Logical file-level
analysis only: excludes deleted files
and unallocated space
 STEP 1
OPEN “ACCESS DATA FTK
IMAGER 3.2.0.0”
 STEP 2
CLICK ON “ADD EVIDENCE
ITEM” BUTTON
 STEP 3
SELECT “LOGICAL DRIVE”
RADIO BUTTON.
 STEP 4
SELECT SOURCE DRIVE.
 STEP 5
SCAN “MFT” BY EXPANDING
“EVIDENCE TREE”.
 STEP 6
GO TO
WINDOWS/SYSTEM32/CONFIG/.
 STEP 7
EXPORT REGISTRY FILE BY CLICKIN
“EXPORT FILES” BUTTON.
 STEP 8
SELECT THE DESTINATION FOLDER.
Registry The structure of the Windows registry is

Structure
similar to file system directories. Both the
Windows registry and the file system are
organized in a tree structure . The

Windows registry stores all configuration

settings as keys . The registry updates its
stored configurations according to the
changes which are made while hardware
and software are being used. In Windows
XP, 2000 and 2003 (Windows NT based
operating systems) the registry files are
stored in the configuration folder located
at Windows\System32\Config folder.
Registry
Structure

THE F I GURE S HO WS A RE GI S T R Y E DI T O R
WI N DOW OF A C O M P UTE R . I T S H O W S
THE I NTERNA L S TRUC TUR E O F T H E
REGI STRY. A HI VE I S A L O GI CAL GR O U P
OF KEYS, SUB K EYS AND VAL U E S I N T H E
REGI STRY TH AT HAS A S ET O F
SUP PORTI NG F I L ES C O NT AI N I N G
BAC KUPS OF I TS DATA. T H E R E AR E F I VE
MAI N HI VES:

HKEY_ CLASS E S _ ROOT ( HKCR)

HKEY_ USER S ( H KU)
HKEY_ CURRE N T_ US E R (HKCU)
HKEY_ LOCA L _ MAC H I N E (HKLM )
HKEY_ CURRE N T_ C ON FI G (HKCC)
REGISTRY HIVE AND ITS SUPPORTING FILES ARE UNIQUE TO
EACH OTHER. ACCORDING TO MICROSOFT, THE HIVES AND
SUPPORTING FILES ARE
HKEY_CURRENT_CONFIG – System, System.alt, System.log, System.sav

HKEY_CURRENT_USER – Ntuser.dat, Ntuser.dat.log

HKEY_LOCAL_MACHINE\SAM – Sam, Sam.log, Sam.sav

HKEY_LOCAL_MACHINE\Security – Security, Security.log, Security.sav

HKEY_LOCAL_MACHINE\Software – Software, Software.log, Software.sav

HKEY_LOCAL_MACHINE\System – System, System.alt, System.log, System.sav

HKEY_USER\.DEFAULT – Default, Default.log, Default.sav

IN THE HKEY_LOCAL_MACHINE HIVE, THERE ARE FIVE
MAIN KEYS. EACH KEY CONTAINS SUB KEYS WITH
CONFIGURATION INFORMATION. THESE ARE:
HARDWARE

SAM (Security Accounts Manager)

SECURITY

SOFTWARE

SYSTEM
ISSUES IN REGISTRY ANALYSIS
There are few main issues that investigators have to face when analyzing
registry files.

Data Completeness – The amount of information required for the

investigation will depend on the type of the investigation. Some
investigations require more information than others. Because of
this, investigators should ensure that all the data is present and
complete. If this is not the case, the investigation may take extra
time to complete and therefore be more costly.

Missing data can be sorted into three categories of randomness

Missing completely at random (MCAR)

Missing at random (MAR)
Missing not at random (MNAR)

 Extracting Data – At present there is no technique to view

registry files in real time. With the currently available
technology, investigators can only take an image of a registry
file. The disadvantage of this is investigators cannot collect
further information after they have captured the registry file.

Lack of Knowledge About Keys – Registry files store data with a

unique key. Some investigators do not know all the keys which
are stored in the registry files. This can lead to missing a lot of
information. There are also some instances in which it is not
possible to find out about certain keys and stored information.

 Registry File Format – Registry files are stored in the

“C:drive/windows/system32/config/” file path and they must
be ripped and converted into a readable format before
being used in an investigation.