The Windows Registry: Part 2 – Extracting the Registry Hives
The Windows Registry is a hierarchical database within which Windows stores system, hardware, software, and user settings and configurations. Since it is the central repository of such information, a proper understanding of the Registry is essential for a forensics investigator analyzing a Windows machine.
This module continues our three part discussion on Registry Analysis. In this module we discuss how to find and extract the Registry hives from both a live and dead system. This is done using AccessData’s FTK Imager tool, which we introduce here as well. There is also brief discussion on another AccessData tool, Registry Viewer.
By: Moshe Caplan
Use FTK Imager to obtain a copy of the Registry Hives on your machine, open them with Registry Viewer, and find the keys / values below
Note 1: This challenge is similar to the challenge from the Registry Intro Module
Note 2: The paths are from a Windows 7 machine.
1. What is your computer's name?
2. What timezone are you in?
2. What are some programs started when your machine is booted?
3. What are some applications installed on your computer?
4. What USB devices have been plugged into your computer?
Further information on this module can be found at the following:
You must Sign-In to post a comment.