Preview

Registry Analysis For Forensic Investigation

Satisfactory Essays
Open Document
Open Document
676 Words
Grammar
Grammar
Plagiarism
Plagiarism
Writing
Writing
Score
Score
Registry Analysis For Forensic Investigation
Registry analysis is an important step for forensic investigators to collect evidence that supports their case. While running the malicious program, they will leave some traces as other programs which act as an important role to these investigators. The Windows Registry holds a great deal of information about the system such as the settings and configuration of the system.
Firstly, the name of the computer is available in the following Registry sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName .
The system information Registry sub key has the following path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
This key holds several values that contain information about the system such as BIOS information
…show more content…
similar to how the history and cookies act to a web browser. One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. Figure 2 - RunMRU key
• Wireless Networks
When a person connects to a network or hotspot the SSID is logged, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. Windows also log the network settings of that particular connection - such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 4a. Figure 4a - Network
…show more content…
Figure 5 displays the output of this key. Figure 5 - List of computers associated with on a LAN
• USB Devices
When a device is connected to USB, the device's information is stored in the registry.
HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key stores the contents of the product and device ID values of any USB device that has ever been connected to the system. Figure 6 reveals the contents of this key. All of which can be interpreted - there lists an iPod, two external hard drives, a digital video camcorder, and several different thumb drives.
• Mounted Devices
The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'. This information is helpful for an investigator to find if any other devices are to be seized. Figure 7 Identification of volume \DosDevice\F:
• Internet

You May Also Find These Documents Helpful

  • Powerful Essays

    272. Newman, R. (2007). Computer Forensics: Evidence Collection and Managment. Boca Raton FL: Taylor & Francis Group. LLC.…

    • 4846 Words
    • 17 Pages
    Powerful Essays
  • Good Essays

    Nt1310 Unit 1 Study Guide

    • 846 Words
    • 4 Pages

    In what folder does Windows XP store a backup of the registry when backing up the system state?…

    • 846 Words
    • 4 Pages
    Good Essays
  • Better Essays

    Is418 Project 1-2-3

    • 1343 Words
    • 6 Pages

    The hardware is also incorporated into the file hierarchy. Device drivers interface to user applications via an entry in the /dev directory. Process information as well is mapped to the file system through the /proc directory.…

    • 1343 Words
    • 6 Pages
    Better Essays
  • Good Essays

    Computers, and computer related storage media including hard drives, CD disks, DVD disks, flash drives, memory sticks, iPods, personal digital assistants (PDA), flash media, diskettes, and other magnetic, electronic, or optical media.…

    • 808 Words
    • 4 Pages
    Good Essays
  • Good Essays

    You write some files to a flash drive and then share the drive with a classmate. That classmate opens an application that lists the contents (folders and files) of what is on the flash drive. The classmate sees all the files you had placed onto the flash drive. How does your classmate’s computer know what is on the flash drive?…

    • 605 Words
    • 3 Pages
    Good Essays
  • Satisfactory Essays

    Forensics2E Lab02 AW

    • 256 Words
    • 2 Pages

    drive. You prepared the contents of the seized hard drive using a variety of forensic tools as…

    • 256 Words
    • 2 Pages
    Satisfactory Essays
  • Powerful Essays

    Some device drivers are shown here but there are other files here. Device drivers have a .drv extension with an example being sound.drv…

    • 1180 Words
    • 5 Pages
    Powerful Essays
  • Good Essays

    The BTK Killer

    • 654 Words
    • 3 Pages

    In the case of the BTK killer the metadata that the forensic examiner was able to uncover was the fact that the user account of the computer being used was named “Dennis” and it gave specific details about the location of the computer. The computers that were used were identified as one at public library and a computer at the church. All of this information was located in the “properties” section of the document. The details the metadata provided about the church then prompted the investigators to conduct an internet search on church and found that there was a Dennis Raider on staff. Additionally the metadata was able to provide the date the file was created, the date that the file was modified, and the date that the file was printed. Metadata is used in all forms of digital media to include documents, web pages, videos, images and much more. The metadata in this case was created automatically by the Microsoft Office application and was saved even though Dennis Raider deleted the file from the disk.…

    • 654 Words
    • 3 Pages
    Good Essays
  • Good Essays

    BTEC ICT Unit 2 P1

    • 944 Words
    • 4 Pages

    Storage devices are what we use to save files, applications and other things which are essential for the computer to function properly. The storage devices can either be external or it can be internal. External storage devices are things such as USBs, DVDs and external hard drive…

    • 944 Words
    • 4 Pages
    Good Essays
  • Powerful Essays

    Unit 7 P6 Windows Xp

    • 1045 Words
    • 5 Pages

    Remote Registry: This service allows remote users to modify the Registry on your computer. If you are not on a network, you can disable this service.…

    • 1045 Words
    • 5 Pages
    Powerful Essays
  • Satisfactory Essays

    RYS 1

    • 389 Words
    • 2 Pages

    Used to store a copy of your data in case your main file becomes corrupted and needs to be restored…

    • 389 Words
    • 2 Pages
    Satisfactory Essays
  • Better Essays

    2. Which item(s) generated by WinAudit would be of critical importance in a computer Forensic investigation?…

    • 664 Words
    • 3 Pages
    Better Essays
  • Satisfactory Essays

    Lab 1

    • 414 Words
    • 2 Pages

    2. Which items within WinAudit’s initial report would you consider to be of critical importance in a computer forensic investigation?…

    • 414 Words
    • 2 Pages
    Satisfactory Essays
  • Good Essays

    2. Windows Resource Protection of system files and protected registry locations; applications that persist in protected areas will need to be modified.…

    • 329 Words
    • 2 Pages
    Good Essays
  • Satisfactory Essays

    Ok guys today i present you 50+ Serial Keys For Popular Softwares. Im not sure whether it works or not so dont abuse me :p Jst Try it.…

    • 1607 Words
    • 7 Pages
    Satisfactory Essays