registry analysis
Post on 15-Mar-2016
67 Views
Preview:
DESCRIPTION
TRANSCRIPT
Objectives
• Logical and physical structure of the Registry
• Format of Registry files• Examination of the Registry• Forensically important keys• Analyzing Registry information
The Registry
• Hierarchal database • Maintains configuration settings
– Applications– Hardware– Devices– Users
Registry Access
• Regedit.exe – A “GUI” interface to the Registry
• Native to XP and above• NT and 2000 has regedit.exe but with
limited capablities
Registry Data Types
Series of nested arrays designed to store a list of resources
A list of resources used by a physical HW device
A list of HW resources used by a device driver
Logical Structure
• Highest Level• My Computer
• Contains Five Root Hives• Each Hive consists of
• Keys
• Each key has a set of • <Name Type Value> triples• Subkeys
Root Hives
• HKEY_USERS• Contains all the actively loaded user profiles for the
system
• HKEY_CURRENT_USER• Is the active, loaded user profile currently logged on
• HKEY_LOCAL_MACHINE• Contains configuration information for the system
both HW and SW
Root Hives (cont’d)
• HKEY_CURRENT_CONFIG• Contains the hardware profile the system uses at
startup
• HKEY_CLASSES_ROOT• Contains configuration information for which apps
open which files
HKEY_CLASSES_ROOTApplication to File Mapping
This hive is subclassed to HKCU\Software\ClassesHKLM \Software\Classes
Registry Cell Types
• Key cell• Key info, offsets to subkeys and LastWrite time
• Value cell• Holds a value/name and its data
• Subkey list cell• Series of subkey offsets
• Value list cell• Series of offsets to value cells
top related