In this chapter, we will cover the following recipes:
The Windows Registry is one of the richest sources of digital evidence. You can find lots of extremely useful pieces of information during examination of the Registry hives and keys. Computer configurations, recently visited webpages and opened documents, connected USB devices, and many other artifacts can all be acquired through Windows Registry forensic examination.
The Registry has a tree structure. Each tree consists of keys, and each key may have one or more subkeys and values.
As forensic examiners usually deal with drive images, it's very important to know where these registry files are stored. The first six files are located at C:\Windows\System32\config. These files are:
There are also two files for each user account:
You have already learnt a bit about how to use Magnet AXIOM in your forensic examinations, especially if you need to extract and analyze data from shadow copies. But this tool has lots of very useful features, so we will use it in a few more recipes. This time you will learn how to use Magnet AXIOM, and especially its Registry Explorer component, for Windows Registry forensics.
If you are following the recipes in this book one by one, you already have Magnet AXIOM - at least a trial version - installed. If not, refer to Chapter 5, Windows Shadow Copies Analysis, for installation instructions. Once you've installed the tool, you are ready to...
RegRipper is an open source Windows forensic tool developed by the famous forensicator Harlan Carvey, the author of the Windows Forensic Analysis series. It's written in Perl, and has a lot of useful plugins available. Also, digital forensic examiners capable of writing in Perl can create their own plugins for their specific needs.
Go to RegRipper's page at Harlan's GitHub, click on the green button (Clone or Download), and choose the Download ZIP option. Once the archive is downloaded (in our case it is named RegRipper2.8-master.zip), unpack it, and you are ready to go.
Registry Explorer is another free Windows Registry forensic tool by another famous digital forensic examiner: Eric Zimmerman. One of the extremely useful features of this tool is its capability to recover deleted records. And it's easier than you might imagine.
Go to Eric's GitHub and click on the Registry Explorer download link. In our case, it's called Registry Explorer/RECmd Version 0.8.1.0. As at the time of writing, the most recent version of the tool is 0.8.1.0. Once RegistryExplorer_RECmd.zip is downloaded, unpack it and you are ready to go.
FTK Registry Viewer ships as part of AccessData's products, or can also be downloaded separately. It allows users to view the contents of the registry on a Windows machine.
If you already have FTK, Registry Viewer will be on your system. If you do not, you can download FTK Imager at AccessData's website - it's free. You will need to fill in some personal information, including your name, company name, position and email address to gain access to the free download. The following figure shows the download page for FTK Imager:
If you only need to download Registry Viewer, you can do that on the Product Downloads page as...
© 2017 Packt Publishing Limited All Rights Reserved
