Taha İslam YILMAZComputer EngineeringTOBB ETUADEO IWS - Computer Forensics

WINDOWS REGISTRY

Windows Registry

• Understanding what registry means and what it does

• How windows registry is built up and what files are used

• Few important keys for forensics in registry • Demo

Windows Registry

• Central database of Windows• The database contains most of the settings for

Windows , programs,hardware and users.• Such as , profiles for each user , the applications

installed on the computer , what hardware exist on the system and the last shut down time of computer.

Windows Registry

• C:\Windows\System32\config

Windows Registry

• HKCR - Contains information about the correct program opens when executing a file with Windows Explorer.

• HKCU - Contains the profile about the user that is logged on.

• HKLM - Contains system-wide hardware settings and configuration information.

Windows Registry

• HKU - Contains all user profiles that exist on the system.

Also contains information about the type of hardware installed , default settings of softwares and desktop configurations. These informations is used for all users who log on to this computer. • HKCC - Contains information about the hardware

profile used by the computer start up.

Windows Registry

Windows Registry

Important informations can be recovered for forensic cases:• System Configuration• Devices on the System• User Names• Web Browsing Activity• Recent Files

Windows RegistryReports are created with regripper_2.02• System Configuration• Hive : SYSTEM

Windows RegistryReports are created with regripper_2.02• Devices on the System• Hive : SYSTEM

Windows RegistryReports are created with regripper_2.02• User Names• Hive : SAM

Windows RegistryReports are created with regripper_2.02• Web Browsing Activity• Hive : NTUSER.DAT

Windows RegistryReports are created with regripper_2.02• Recent Files• Hive : NTUSER.DAT

Windows Registry

DEMO : Few important keys for forensics in registry

Thank you for listening to me !