Registry Forensic

The Windows Registry is a central hierarchical database that stores configuration settings for applications, hardware devices, and users. Beyond system configuration, the Registry maintains extensive records of user activities, recently accessed files, and connected devices, making it a valuable source of forensic evidence.

For forensic analysts and system administrators, the Registry provides crucial insights into system usage patterns and potential security incidents that may not be visible through other investigative methods.

Windows Registry Structure

Prior to Windows 95, system configuration was managed through individual files such as autoexec.bat, config.sys, win.ini, and system.ini. The Registry replaced this fragmented approach with a centralized database organized into five main root folders, known as hives:

• HKEY_CLASSES_ROOT ? Contains file association information determining which applications open specific file types

• HKEY_CURRENT_USER ? Stores the loaded user profile for the currently logged-on user

• HKEY_LOCAL_MACHINE ? Contains comprehensive system configuration including hardware and software settings

• HKEY_USERS ? Holds all actively loaded user profiles for the system

• HKEY_CURRENT_CONFIG ? Contains the hardware profile used during system startup

Registry Forensic Analysis

When investigating unauthorized system access or malicious activity, forensic analysts can examine specific Registry keys to reconstruct user actions and system events. The Registry maintains detailed logs of various activities that can reveal the scope and nature of potential security incidents.

Key Forensic Registry Locations

Recent User Commands

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This key contains a list of commands executed through the Run dialog, providing insight into applications launched by users, including command-line tools and potentially malicious executables.

USB Device History

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Stores product and device ID values for all USB storage devices ever connected to the system, helping identify data exfiltration attempts or unauthorized device usage.

Mounted Storage Devices

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Lists all storage devices recognized by the operating system. Discrepancies between physically present devices and registry entries may indicate device removal after malicious activity.

Recently Used Applications

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps

Maintains records of recently accessed applications, revealing user behavior patterns and potentially identifying unauthorized software usage.

Web Browser Activity

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

Contains manually typed URLs in Internet Explorer, providing evidence of intentional web browsing activity that may not appear in browser history.

Common Forensic Indicators

Conclusion

Registry forensic analysis provides investigators with a comprehensive view of system and user activities that may not be available through other investigative methods. By examining key Registry locations, forensic analysts can reconstruct timelines of user actions, identify unauthorized access attempts, and uncover evidence of malicious activity essential for incident response and legal proceedings.