Registry Analysis What is it? What does it contain?
-
date post
19-Dec-2015 -
Category
Documents
-
view
226 -
download
2
Transcript of Registry Analysis What is it? What does it contain?
![Page 1: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/1.jpg)
Registry Analysis
What is it?
What does it contain?
![Page 2: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/2.jpg)
Objectives
• Logical and physical structure of the Registry
• Format of Registry files
• Examination of the Registry
• Forensically important keys
• Analyzing Registry information
![Page 3: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/3.jpg)
The Registry
• Hierarchal database
• Maintains configuration settings– Applications– Hardware– Devices– Users
![Page 4: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/4.jpg)
Registry Access
• Regedit.exe – A “GUI” interface to the Registry
• Native to XP and above
• NT and 2000 has regedit.exe but with limited capablities
![Page 5: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/5.jpg)
Physical Structure
• Binary files
• Stored in RAM and hard drive
• Limited data types
![Page 6: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/6.jpg)
File Locations
![Page 7: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/7.jpg)
Registry Data Types
Series of nested arrays designed to store a list of resources
A list of resources used by a physical HW device
A list of HW resources used by a device driver
![Page 8: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/8.jpg)
Logical Structure
• Highest Level• My Computer
• Contains Five Root Hives
• Each Hive consists of• Keys
• Each key has a set of • <Name Type Value> triples
• Subkeys
![Page 9: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/9.jpg)
Root Hives
• HKEY_USERS• Contains all the actively loaded user profiles for the
system
• HKEY_CURRENT_USER• Is the active, loaded user profile currently logged on
• HKEY_LOCAL_MACHINE• Contains configuration information for the system
both HW and SW
![Page 10: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/10.jpg)
Root Hives (cont’d)
• HKEY_CURRENT_CONFIG• Contains the hardware profile the system uses at
startup
• HKEY_CLASSES_ROOT• Contains configuration information for which apps
open which files
![Page 11: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/11.jpg)
Five Root Hives
![Page 12: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/12.jpg)
HKEY_USERSUser Profiles
![Page 13: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/13.jpg)
HKEY_CURRENT_USERLogged on user profile
![Page 14: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/14.jpg)
Current User One of those listed in HKEY_USERS
![Page 15: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/15.jpg)
HKEY_LOCAL_MACHINEHW and SW Configs
![Page 16: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/16.jpg)
HKEY_CURRENT_CONFIGStartup Profile
![Page 17: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/17.jpg)
HKEY_CLASSES_ROOTApplication to File Mapping
This hive is subclassed to HKCU\Software\ClassesHKLM \Software\Classes
![Page 18: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/18.jpg)
Registry Cell Types
• Key cell• Key info, offsets to subkeys and LastWrite time
• Value cell• Holds a value/name and its data
• Subkey list cell• Series of subkey offsets
• Value list cell• Series of offsets to value cells
![Page 19: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/19.jpg)
Registry StructureKeys Subkeys Values Type Data
![Page 20: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/20.jpg)
Raw Registry File
Key Cell
Value Cell
![Page 21: Registry Analysis What is it? What does it contain?](https://reader035.fdocuments.in/reader035/viewer/2022062221/56649d385503460f94a1129f/html5/thumbnails/21.jpg)