ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows Registry" and "SimCardPurdue"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Open Source)
 
(This has been removed from Purdue)
 
Line 1: Line 1:
==File Locations==
 
The Windows Registry is stored in multiple files.
 
  
===Windows NT 4 ===
 
In Windows NT 4 (and later) the Registry is stored in the [[Windows NT Registry File (REGF)]] format.
 
 
Basically the following Registry hives are stored in the corresponding files:
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
 
* HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
 
* HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
 
* HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
 
* HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
 
 
===Windows 98/ME===
 
* \Windows\user.dat
 
* \Windows\system.dat
 
* \Windows\profiles\user profile\user.dat
 
 
== Keys ==
 
 
=== Run/RunOnce ===
 
System-wide:
 
<pre>
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
 
Per user:
 
<pre>
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
</pre>
 
 
== Special cases ==
 
The Windows Registry has several special case scenarios, mainly concerning key and value name, that most tools fail to account for:
 
* special characters key and value names
 
* duplicate key and value names
 
* the names when stored in extended ASCII (ANSI string) use a codepage that is dependent on the system settings
 
 
=== special characters key and value names ===
 
Both key and values names are case insensitive. The \ character is used as the key separator. Note
 
that the \ character can be used in value names. The / character is used in both key and value names.
 
Some examples of which are:
 
<pre>
 
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetBT\Parameters\
 
Value: Size/Small/Medium/Large
 
</pre>
 
 
<pre>
 
Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\VIDEO\disc\
 
Value: \Device\Video0
 
</pre>
 
 
<pre>
 
Key:
 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\xmlprov\Parameters\SchemaGroups\User\http://www.microsoft.com/provisioning/eaptlsuserpropertiesv1\
 
Value: SchemaFile
 
</pre>
 
 
==Tools==
 
===Open Source===
 
* [https://www.pinguin.lu/index.php Forensic Registry EDitor (fred)] - "Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor" by Gillen Dan
 
* [http://projects.sentinelchicken.org/data/doc/reglookup/regfi/ libregfi] - The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
 
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
 
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
 
* [[Regripper|RegRipper]] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
 
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] Perl module.
 
* [http://www.williballenthin.com/registry/index.html python-registry] Python module.
 
* [http://code.google.com/p/registrydecoder/ Registry Decoder] offline analysis component, by Andrew Case
 
* [http://code.google.com/p/registrydecoder/ RegDecoderLive] live hive acquisition component, by Andrew Case
 
* [[libregf]] - Library and tools to access the Windows NT Registry File (REGF) format
 
 
===Freeware===
 
* [http://www.tzworks.net/prototype_page.php?proto_id=3 Yet Another Registry Utility (yaru)] Free tool that can be run on Windows, Linux or Mac OS-X. If run in admin mode, allows viewing of registry hives on live system.
 
 
* [http://www.tzworks.net/prototype_page.php?proto_id=14 Windows ShellBag Parser] Free tool that can be run on Windows, Linux or Mac OS-X.
 
 
* [http://tzworks.net/prototype_page.php?proto_id=19 ''cafae''] - Computer Account Forensic Artifact Extractor.  Free tool that can be run on Windows, Linux or Mac OS-X to parse ntuser.dat hives.
 
 
===Commercial===
 
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
 
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
 
* [http://lastbit.com/arv/ Alien Registry Viewer]
 
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
 
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
 
* [http://paullee.ru/regundel Registry Undelete (russian)]
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://registrytool.com/ Registry Tool]
 
 
==Bibliography==
 
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
 
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
 
 
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 
* [http://www.pkdavies.co.uk/downloads/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
 
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
 
 
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
 
 
==See Also==
 
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
 
* [http://www.answers.com/topic/win-registry Windows Registry Information]
 
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
 
[[Category:Bibliographies]]
 
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
 
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
 
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
 
 
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
 

Latest revision as of 02:58, 31 May 2012