Introduction

To most administrators and forensic analysts, the Registry probably looks like the entrance to a dark, forbidding cave on the landscape of the Windows operating system. Others might see the Registry as a dark door at the end of a long hallway, with the words abandon hope, all ye who enter here scrawled on it. The truth is that the Registry is a veritable gold mine of information for both the administrator and the forensics investigator. Software used by attackers will, in many cases, create a footprint within the Registry, leaving the investigator clues about the incident. Knowing where to look within the Registry, and how to interpret what you find, will go a long way toward giving you valuable insight into activity that occurred on the system.

The purpose of this chapter is to provide you with a deeper understanding of the Registry and the wealth of information it holds. Besides configuration information, the Windows Registry holds information regarding recently accessed files and considerable information about user activities. All of this can be extremely valuable, depending on the nature of the case you re working on. Most of the Registry analysis that we address in this chapter will be post mortem in other words, after you ve acquired an image of the system. However, in some instances we will discuss analysis from a live system as well as provide examples of what the keys and values look like on a live system. There are a few minor considerations to keep in...