Registry Forensic

The Windows Registry also holds information regarding recently accessed files and considerable information about user activities, besides configuration information. Hence, this article serves the purpose is to provide you with a depth understanding of the Registry and Wealth of information it holds. Today most administrators and forensic analysts, the registry probably looks like the entrance to a dark.

Windows Registry

The system was largely managed by several files-specifically, autoexec.bat, config.sys, win.ini (on windows) and system.ini. So, various settings within these files determined what programs were loaded and how the system looked and responded to user input, a central hierarchical database that maintains configuration settings for the application, hardware devices, and users. When the administrator or Forensics expects opens Regedit.exe, he sees a tree-like structure with five root folders, or “hives”. HKEY_CLASSES_ROOT hive contains configuration information relating to which application is used to open various files on the system.

  • HKEY_CURRENT_USER − loaded user profile for the currently logged-on-user.

  • HKEY_LOCAL_MACHINE−contains a vast configuration information for the system, including hardware settings and software settings.

  • HKEY_USERS− contains all the actively loaded user profile for that system

  • HKEY_CURRENT_CONFIG−contains the hardware profile the system uses at startup.

Registry Forensic

Suppose your computer lies in the hand of a malicious person without your consent. Then how can you determine, what exactly he would have done to your computer. You can track his activity through inspecting the registry as follows −

  • Most Recent User list


    It contains with the information provided from the RunMRU key, an examiner can gain better understanding fo the user they are investigating and the application that is being used. In this above figure, you can see the user has opened cmd, Notepad, MSPaint etc.

  • USB Connection


    This key stores the contents of the product and device ID values of any USB devices that have ever been connected to the system.

  • Attached Hardware List − ( HKEY_LOCAL_MACHINE\SYSTEM|MountedDevices.)

    This information can be useful to a forensic examiner as it shows any connected storage device has been recognized by the operating system. If the examiner notes a discrepancy between the physically attached devices and the ones reported here, it can be an indication that some device was removed prior to the evidence being seized.

  • Malicious Software Running − (HKEY_CURRENT_USER\Software\ )

    This information will be quite informatic for Forensics Examiner as it could see the hacker used VPN such as CyberGhost which is used for being anonymous.

  • Recent Applications Used


    By navigating to the said key will give information for last accessed applications list by the user.

  • Internet Explorer information

    (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs.)

    Internet Explorer is the native Web browser in Windows operating system. It utilizes the Registry extensively in the storage of data, like many applications. From the said key, we can obtain such information.

Updated on: 18-Mar-2020

2K+ Views

Kickstart Your Career

Get certified by completing the course

Get Started