Windows Forensics

windoooows

Registry Hives

A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry Editor

You can find registry key in the Registry Editor.

  1. Open Registry Editor

    • Push Windows key + R key to open a prompt and type "regedit" to open Registry Editor.

    • In Registry Editor, right-click on the value of the left pane and click.

  2. Default Location of Registry Hives

    • Located in C:\Windows\System32\config

      • DEFAULT (mounted on HKEY_USERS\DEFAULT)

        • HKEY_USERS\.DEFAULT is not the default user profile (i.e. the profile used as the default settings for a user who logs in and does not have an existing profile).

          • It is the profile for the LOCALSYSTEM account. It is an alias for HKEY_USERS\S-1-5-18.

        • The registry settings used as the default settings for a user who logs in and does not have an existing profile are at C:\Users\Default\ntuser.dat.

      • SAM (mounted on HKEY_LOCAL_MACHINE\SAM)

        • The Security Account Manager (SAM) is a particular registry hive that stores credentials and account information for local users.

        • Examiners can also learn to interpret username information including the users’ login dates, times and login count.

      • SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)

        • This database contains local system security policy settings which controls, among others;

          • which domains are trusted to authenticate logon attempts

          • which users are allowed to access the system

          • on what channels these users are allowed to access the system (interactive, network, service logons)

          • which privileges are assigned to a user

          • how users are audited

          • logon information for cached domain logons and service logons

      • SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)

        • It stores configuration information of various programs installed on the computer.

      • SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

        • It contains information such as the device drivers that are installed on the system, the system's hardware configuration, and the SIDs for local user accounts.

  3. Alternative Hives

    • The other registry hives are located in C:\Users<username>.

    • Note that these hives are hidden files.

      • NTUSER.DAT (mounted on HKEY_CURRENT_USER) - located in C:\Users\username\

      • USRCLASS.DAT (mounted on HKEY_CURRENT_USER\Software\CLASSES) - located in C:\Users\username\AppData\Local\Microsoft\Windows

  4. Amcache Hive

    • This hive stores the information on programs that were recently run on the system.

      • Amcache Hive is located in C:\Windows\appcompat\Programs\Amcache.hve.

Acquire Registry Data

Explore Registry Data

System Information

  • OS Version

    • The location is HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion.

:(
PreviousCapture-The-FlagNextMemory Forensics

Last updated