Registry Analysis For Forensic Investigation
Registry analysis is an important step for forensic investigators to collect evidence that supports their case. While running the malicious program, they will leave some traces as other programs which act as an important role to these investigators. The Windows Registry holds a great deal of information about the system such as the settings and configuration of the system.
Firstly, the name of the computer is available in the following Registry sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName .
The system information Registry sub key has the following path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
This key holds several values that contain information about the system such as BIOS information …show more content…
similar to how the history and cookies act to a web browser. One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. Figure 2 - RunMRU key
• Wireless Networks
When a person connects to a network or hotspot the SSID is logged, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. Windows also log the network settings of that particular connection - such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 4a. Figure 4a - Network …show more content…
Figure 5 displays the output of this key. Figure 5 - List of computers associated with on a LAN
• USB Devices
When a device is connected to USB, the device's information is stored in the registry.
HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key stores the contents of the product and device ID values of any USB device that has ever been connected to the system. Figure 6 reveals the contents of this key. All of which can be interpreted - there lists an iPod, two external hard drives, a digital video camcorder, and several different thumb drives.
• Mounted Devices
The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'. This information is helpful for an investigator to find if any other devices are to be seized. Figure 7 Identification of volume \DosDevice\F:
• Internet
Firstly, the name of the computer is available in the following Registry sub key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName .
The system information Registry sub key has the following path: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
This key holds several values that contain information about the system such as BIOS information …show more content…
similar to how the history and cookies act to a web browser. One example of an MRU list located in the Windows Registry is the RunMRU key. When a user types a command into the 'Run' box via the Start menu, the entry is added to this Registry key. The location of this key is HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU and its contents can be seen in Figure 2. Figure 2 - RunMRU key
• Wireless Networks
When a person connects to a network or hotspot the SSID is logged, this can be found in the Registry in the HKLM\SOFTWARE\ Microsoft\WZCSVC\Parameters\Interfaces key. Windows also log the network settings of that particular connection - such as the IP address, DHCP domain, subnet mask, etc. The Registry key in which this can be found is HKLM\SYSTEM\ControlSet001\ Services\Tcpip\Parameters\Interfaces\, which is illustrated in Figure 4a. Figure 4a - Network …show more content…
Figure 5 displays the output of this key. Figure 5 - List of computers associated with on a LAN
• USB Devices
When a device is connected to USB, the device's information is stored in the registry.
HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR. This key stores the contents of the product and device ID values of any USB device that has ever been connected to the system. Figure 6 reveals the contents of this key. All of which can be interpreted - there lists an iPod, two external hard drives, a digital video camcorder, and several different thumb drives.
• Mounted Devices
The key is HKLM\SYSTEM\MountedDevices and it stores a database of mounted volumes that is used by the NTFS file system. The binary data for each \DosDevices\x: value contains information for identifying each volume. This is demonstrated in Figure 7, where \DosDevice\F: is a mounted volume and listed as 'STORAGE Removable Media'. This information is helpful for an investigator to find if any other devices are to be seized. Figure 7 Identification of volume \DosDevice\F:
• Internet