1 / 21

Registry Analysis

Registry Analysis. What is it? What does it contain?. Objectives. Logical and physical structure of the Registry Format of Registry files Examination of the Registry Forensically important keys Analyzing Registry information. The Registry. Hierarchal database

chancellor-sexton
Download Presentation

Registry Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Registry Analysis What is it? What does it contain?

  2. Objectives • Logical and physical structure of the Registry • Format of Registry files • Examination of the Registry • Forensically important keys • Analyzing Registry information

  3. The Registry • Hierarchal database • Maintains configuration settings • Applications • Hardware • Devices • Users

  4. Registry Access • Regedit.exe – A “GUI” interface to the Registry • Native to XP and above • NT and 2000 has regedit.exe but with limited capablities

  5. Physical Structure • Binary files • Stored in RAM and hard drive • Limited data types

  6. File Locations

  7. Registry Data Types Series of nested arrays designed to store a list of resources A list of resources used by a physical HW device A list of HW resources used by a device driver

  8. Logical Structure • Highest Level • My Computer • Contains Five Root Hives • Each Hive consists of • Keys • Each key has a set of • <Name Type Value> triples • Subkeys

  9. Root Hives • HKEY_USERS • Contains all the actively loaded user profiles for the system • HKEY_CURRENT_USER • Is the active, loaded user profile currently logged on • HKEY_LOCAL_MACHINE • Contains configuration information for the system both HW and SW

  10. Root Hives (cont’d) • HKEY_CURRENT_CONFIG • Contains the hardware profile the system uses at startup • HKEY_CLASSES_ROOT • Contains configuration information for which apps open which files

  11. Five Root Hives

  12. HKEY_USERSUser Profiles

  13. HKEY_CURRENT_USERLogged on user profile

  14. Current User One of those listed in HKEY_USERS

  15. HKEY_LOCAL_MACHINEHW and SW Configs

  16. HKEY_CURRENT_CONFIGStartup Profile

  17. HKEY_CLASSES_ROOTApplication to File Mapping This hive is subclassed to HKCU\Software\Classes HKLM \Software\Classes

  18. Registry Cell Types • Key cell • Key info, offsets to subkeys and LastWrite time • Value cell • Holds a value/name and its data • Subkey list cell • Series of subkey offsets • Value list cell • Series of offsets to value cells

  19. Registry Structure Keys Subkeys Type Values Data

  20. Raw Registry File Key Cell Value Cell

More Related