Difference between revisions of "Windows Registry"

From Forensics Wiki
Jump to: navigation, search
(Windows XP)
Line 1: Line 1:
==Bibliography==
 
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
 
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
 
 
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
 
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
 
 
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 
 
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 
 
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
 
 
 
==File Locations==
 
==File Locations==
 +
The Windows Registry is stored in multiple files.
 +
 
===Windows XP===
 
===Windows XP===
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
 
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
Line 44: Line 31:
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://mitec.cz/wrr.html Windows Registry Recovery]
 
* [http://registrytool.com/ Registry Tool]
 
* [http://registrytool.com/ Registry Tool]
 +
 +
==Bibliography==
 +
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
 +
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
 +
 +
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 +
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
 +
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
 +
 +
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
 +
 +
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
 +
 +
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
  
 
==See Also==
 
==See Also==
Line 54: Line 56:
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
 
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.  
 
+
* [http://www.beginningtoseethelight.org/ntsecurity/ Security Accounts Manager]
  
 
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
 
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.

Revision as of 01:45, 15 September 2010

Contents

File Locations

The Windows Registry is stored in multiple files.

Windows XP

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS/DEFAULT: \Windows\system32\config\default
  • HKEY_LOCAL_MACHINE/SAM: \Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
  • HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system

Windows 98/ME

  • \Windows\user.dat
  • \Windows\system.dat
  • \Windows\profiles\user profile\user.dat

Tools

Open Source

  • reglookup — "small command line utility for reading and querying Windows NT-based registries."
  • regviewer — a tool for looking at the registry.
  • RegRipper — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
  • Parse::Win32Registry perl module.

Commercial

Bibliography

See Also