The Windows Registry: Part 3 – Forensic Analysis Using RegRipper


The Windows Registry is a hierarchical database within which Windows stores system, hardware, software, and user settings and configurations. Since it is the central repository of such information, a proper understanding of the Registry is essential for a forensics investigator analyzing a Windows machine.

This module concludes our three part discussion on Registry Analysis. In this module we discuss what Registry data can be important to an investigation and how the RegRipper tool can be used to find that data.


By: Moshe Caplan


Use RegRipper to find the following data within the sample hives obtainable from the RegRipper download site.

1. Win XP: What is the primary user's "logonusername"?
2. Win 7: When was the system last "shutdown"?
3. Vista: Name three installed software "products" on the machine.

1. vmware
2. Tue May 29 17:17:04 2012 (UTC)
3. Note: The below are just examples; other software is installed as well.
Adobe Reader
MS Office 2003 Professional

Further information on this module can be found at the following:

You must Sign-In to post a comment.