As a Forensics Investigator one must know what is REGISTRY ? How it will work? How an attacker will use these Registry for illegal activities?
The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on your computer. Windows continually refers to the information in the registry. Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS:\Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system 32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Tools Top Five Open Source tools for Editing the Registry in Microsoft Windows registry
- Forensic Registry Editor (fred) – “Forensic Registry Editor (fred) is a cross-platform M$ registry hive editor” by Daniel Gillen
- libregfi – The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool
- reglookup — “small command line utility for reading and querying Windows NT-based registries.”
- regviewer — a tool for looking at the registry.
- RegRipper — “the fastest, easiest, and best tool for registry analysis in forensics examinations.”