ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows Registry" and "SimCardPurdue"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Open Source)
(This has been removed from Purdue)
Line 1: Line 1:
==File Locations==
The Windows Registry is stored in multiple files.
===Windows NT 4 ===
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
Basically the following Registry hives are stored in the corresponding files:
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
===Windows 98/ME===
* \Windows\user.dat
* \Windows\system.dat
* \Windows\profiles\user profile\user.dat
== Keys ==
=== Run/RunOnce ===
Per user:
== Special cases ==
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
* special characters key and value names
* duplicate key and value names
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
=== special characters key and value names ===
Both key and values names are case insensitive. The \ character is used as the key separator. Note
that the \ character can be used in value names. The / character is used in both key and value names.
Some examples of which are:
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
Value: Size/Small/Medium/Large
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
Value: \Device\Video0
Value: SchemaFile
===Open Source===
* [ Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
* [ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
* [ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
* [ regviewer] — a tool for looking at the registry.
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
* [ Parse::Win32Registry] Perl module.
* [ python-registry] Python module.
* [ Registry Decoder] offline analysis component, by Andrew Case
* [ RegDecoderLive] live hive acquisition component, by Andrew Case
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
* [ Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
* [ Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
* [ ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
* [ Abexo Free Regisry Cleaner]
* [ Auslogics Registry Defrag]
* [ Alien Registry Viewer]
* [ NT Registry Optimizer]
* [ iExpert Software-Free Registry Defrag]
* [ Registry Undelete (russian)]
* [ Windows Registry Recovery]
* [ Registry Tool]
* [ Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [ [paper]] [ [slides]]
* [ Registry Examination, by Paul Davies]
* [ Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [ [slides]]
* [ Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
* [ A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
* [ The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
* [ Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
* [ The Windows NT Registry File Format], Timothy D. Morgan
==See Also==
* [ Windows Incident Response Articles on Registry]
* [ Windows Registry Information]
* [ Wikipedia Article on Windows Registry]
* [ Push the Red Button] — Articles on Registry
* [ Windows Forensics Mailing List]
* [ kregedit] - a KDE utility for viewing and editing registry files.
* [ ntreg] a file system driver for linux, which understands the NT registry file format.
* [ Security Accounts Manager]
* - Open Source Forensic Tools on Brian Carrier's website.

Latest revision as of 02:58, 31 May 2012