=============================
Windows Registry
=============================
This is a store of everything - The soul of the comptuer
It can give you EVERYTHING
It links the User to the Computer
The Registry in a computer running Windows acts as a blueprint for the computer system and cisits of a series of:
Although the Registry has differences across all Windows OSs there are some fundamental similarities which are worthy of note. The Registry is a specialised area in a Windows PC and care should lways be taken when directly accessing the files and keys contained within it
NOTE:
NEVER work directly on the Suspect Machine registry.
Use FTK or siliar tools to capture the Registry files to a safe location.
There are 5 major sections called 'HIVES' (HKEY)
Each Hive contains settings and registry keys acts as a top level 'folder' for the specific areas of teh system.
HKEY_CLASSES_ROOT (HKCR)
Holds File Extension informatin and Identifiers which determines which applications / programs are used for specific file types and processes.
Can be used to block applications
Not very usful in an investigation
HKEY_CURRENT_USER (HKCU)
Contains configuration information for Windows and software specific to the currently logged in user.
This includes setings that control printers, desktop configurations, control panel settings adn keyboard layout.
There users name is called the SID
When a new user is created is it given a unique SID (Security Identifier)
The first user is set to Admin status.
Particularly useful:
HKEY/Software/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs
Recently accessed documents and files.
HKEY/Software/Microsoft/Windows/Internet Explorer/TypedURLs
HKEY/Software/Microsoft/Windows/Internet Explorer/TypedURLsTime
HKEY_LOCAL_MACHINE (HKLM)
Contains the majority of the configuration information for the hardware, software and Windows OSs
Also the boot configuration settings for Windows Vista machines and newer.
Particularly useful:
HKLM/SYSTEM/CurrentControlSet/Enum/USBTOR
Connected USB devices - USBDviewer puts this in a user friendly format.
HKLM/SOFTWARE
Any uninstalled software / applications
HKLM/SYSTEM/CurrentControlSet/Tcpip/Parameters/Interfaces
Previous networks
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Network/Profiles/
View WIFI Profiles
HKEY_USERS (HKU)
Contains user-specific configuration information for all currently active users on the computer (all Users who have a logon to the comptuer)
Each registry key located here corresponds to a user on the system and is named with that user's Security Identifier (SID)
The registry keys and registry values located under each SID control settings specific to that user and is loaded when the user first logs on.
The 'Default' user accounts are also held in HKU
Administrator
User
Guest
Security
HKEY_CURRENT_CONFIG (HKCC)
Stores information about the hardware profile currently being used.
Simply acts as a 'shortcut' to other registry keys found in HKLM/SYSTEM for active hardware profiles.
Key Registry Files:
=============================
Registry Tools
=============================
REGEDIT.exe
This is the build in Registry viewer/editing console on a Windows Machine. It allows you to view each Registry Hive and the contents in a hierarchical structure by following the paths to certain areas. Although there is a logical structure to the registry it is a very overwhelming set of files and in most cases would rely on specialist advice and skills to pull out relevant data. However there are several keys areas which may represent a quick option in order to ascertain attribution or provide fast time to interview support.
Access Data Registry Viewer: A 3rd party tool which may be used to view captured Registy files. However you will still require a depth of knowledge to use this tool properly.
Command Line / Power shell: Used to quickly view registry entries / scripted outputs
Access Data FTK and Registry Viewer: Used to safley copy and examine registry values
DCode: Used to decode registry binary data into useable / readable date /times
USBDeview: View USB devices
Credentials File View / Vault Password View: These both allow you to view a users credential vaults and stored passwords on a device (including historic usernames and passwords)
=============================
Questions
=============================
Good questions to ask based on this: