The Windows Registry is a binary hierarchal database that contains a great deal of valuable information for the analyst or investigator. According to Microsoft, the Registry holds configuration information for the system and applications, replacing the old initialization (*.ini, pronounced eye-en-eye ) files. For a forensic analyst, though, the Registry can be looked at as one big log file. The Registry is made up of keys (the folders you see when you open up RegEdit), which contain subkeys and values, and values, which contain data. Figure II.1 illustrates keys, values, and data.

Figure II.1: Extract from RegEdit showing keys, values, and data

More information regarding the specific structure of the Registry, as well as its immense value in forensic analysis, please see my other book published by Syngress/ Elsevier, Windows Forensic Analysis.

As we saw in the previous Part, a great way to access the Registry on a live system is through the use of the Win32::TieRegistry module. However, when performing forensic analysis of Registry files extracted from an acquired image, the ideal module to use is the Parse::Win32Registry module, ^[2] from James McFarlane. I had looked into writing my own tools for accessing a raw Registry file and extracting keys and values, but while I was going about putting together the ground work for that module, James released a version of his Parse::Win32Registry module, which takes a completely object-oriented approach to the task. While we will be using James module to parse Registry files from Windows...