Upload
taha-yilmaz
View
88
Download
1
Embed Size (px)
Citation preview
Taha İslam YILMAZComputer EngineeringTOBB ETUADEO IWS - Computer Forensics
WINDOWS REGISTRY
Windows Registry
• Understanding what registry means and what it does
• How windows registry is built up and what files are used
• Few important keys for forensics in registry • Demo
Windows Registry
• Central database of Windows• The database contains most of the settings for
Windows , programs,hardware and users.• Such as , profiles for each user , the applications
installed on the computer , what hardware exist on the system and the last shut down time of computer.
Windows Registry
• C:\Windows\System32\config
Windows Registry
• HKCR - Contains information about the correct program opens when executing a file with Windows Explorer.
• HKCU - Contains the profile about the user that is logged on.
• HKLM - Contains system-wide hardware settings and configuration information.
Windows Registry
• HKU - Contains all user profiles that exist on the system.
Also contains information about the type of hardware installed , default settings of softwares and desktop configurations. These informations is used for all users who log on to this computer. • HKCC - Contains information about the hardware
profile used by the computer start up.
Windows Registry
Windows Registry
Important informations can be recovered for forensic cases:• System Configuration• Devices on the System• User Names• Web Browsing Activity• Recent Files
Windows RegistryReports are created with regripper_2.02• System Configuration• Hive : SYSTEM
Windows RegistryReports are created with regripper_2.02• Devices on the System• Hive : SYSTEM
Windows RegistryReports are created with regripper_2.02• User Names• Hive : SAM
Windows RegistryReports are created with regripper_2.02• Web Browsing Activity• Hive : NTUSER.DAT
Windows RegistryReports are created with regripper_2.02• Recent Files• Hive : NTUSER.DAT
Windows Registry
DEMO : Few important keys for forensics in registry
Thank you for listening to me !