Difference between revisions of "Windows Registry"
From Forensics Wiki
(Added file locations) |
m (→Bibliography) |
||
| Line 1: | Line 1: | ||
==Bibliography== | ==Bibliography== | ||
| + | * [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009 | ||
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]] | * Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]] | ||
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf] | * [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf] | ||
Revision as of 11:50, 26 October 2009
Contents |
Bibliography
- Using ShellBag Information to Reconstruct User Activities., Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [paper] [slides]
- [1]
- Forensic Analysis of the Windows Registry in Memory, Brendan Dolan-Gavitt, DFRWS 2008 [slides]
- Forensic Analysis of the Windows Registry, Peter Davies, Computer Forensics: Coursework 2 (student paper)
- A Windows Registry Quick-Reference, Derrick Farmer, Burlington, VT.
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- Forensic Analysis of the Windows Registry, Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
- The Windows NT Registry File Format, Timothy D. Morgan
File Locations
Windows XP
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS/DEFAULT: \Windows\system32\config\default
- HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
- HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
Windows 98/ME
- \Windows\user.dat
- \Windows\system.dat
- \Windows\profiles\user profile\user.dat
Tools
Open Source
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
Commercial
- Abexo Free Regisry Cleaner
- Auslogics Registry Defrag
- Alien Registry Viewer
- NT Registry Optimizer
- iExpert Software-Free Registry Defrag
- Registry Undelete (russian)
- Windows Registry Recovery
- Registry Tool
