Difference between revisions of "Windows Registry"
From Forensics Wiki
(→Freeware) |
Joachim Metz (Talk | contribs) (→Open Source) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 21: | Line 21: | ||
===Open Source=== | ===Open Source=== | ||
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan | * [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan | ||
| + | * [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool | ||
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries." | * [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries." | ||
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry. | * [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry. | ||
| Line 28: | Line 29: | ||
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by Andrew Case | * [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by Andrew Case | ||
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by Andrew Case | * [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by Andrew Case | ||
| + | * [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format | ||
===Freeware=== | ===Freeware=== | ||
| Line 34: | Line 36: | ||
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X. | * [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X. | ||
| − | * [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae'' - Computer Account Forensic Artifact Extractor | + | * [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives. |
===Commercial=== | ===Commercial=== | ||
Revision as of 00:31, 8 June 2012
Contents |
File Locations
The Windows Registry is stored in multiple files.
Windows NT 4
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format.
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS/DEFAULT: \Windows\system32\config\default
- HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
- HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
Windows 98/ME
- \Windows\user.dat
- \Windows\system.dat
- \Windows\profiles\user profile\user.dat
Tools
Open Source
- Forensic Registry EDitor (fred) - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
- libregfi - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — "small command line utility for reading and querying Windows NT-based registries."
- regviewer — a tool for looking at the registry.
- RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
- Parse::Win32Registry Perl module.
- python-registry Python module.
- Registry Decoder offline analysis component, by Andrew Case
- RegDecoderLive live hive acquisition component, by Andrew Case
- libregf - Library and tools to access the Windows NT Registry File (REGF) format
Freeware
- Yet Another Registry Utility (yaru) Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
- Windows ShellBag Parser Free tool that can be run on Windows, Linux or Mac OS-X.
- cafae - Computer Account Forensic Artifact Extractor. Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
Commercial
- Abexo Free Regisry Cleaner
- Auslogics Registry Defrag
- Alien Registry Viewer
- NT Registry Optimizer
- iExpert Software-Free Registry Defrag
- Registry Undelete (russian)
- Windows Registry Recovery
- Registry Tool
Bibliography
- Using ShellBag Information to Reconstruct User Activities., Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
- Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [paper] [slides]
- Registry Examination, by Paul Davies
- Forensic Analysis of the Windows Registry in Memory, Brendan Dolan-Gavitt, DFRWS 2008 [slides]
- Forensic Analysis of the Windows Registry, Peter Davies, Computer Forensics: Coursework 2 (student paper)
- A Windows Registry Quick-Reference, Derrick Farmer, Burlington, VT.
- The Windows Registry as a forensic resource, Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
- Forensic Analysis of the Windows Registry, Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
- The Windows NT Registry File Format, Timothy D. Morgan
See Also
- Windows Incident Response Articles on Registry
- Windows Registry Information
- Wikipedia Article on Windows Registry
- Push the Red Button — Articles on Registry
- Windows Forensics Mailing List
- kregedit - a KDE utility for viewing and editing registry files.
- ntreg a file system driver for linux, which understands the NT registry file format.
- Security Accounts Manager
- http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
