Registry Analysis - PowerPoint PPT Presentation

About This Presentation
Title:

Registry Analysis

Description:

Registry Analysis What is it? What does it contain? Objectives Logical and physical structure of the Registry Format of Registry files Examination of the Registry ... – PowerPoint PPT presentation

Number of Views:160
Avg rating:3.0/5.0
Slides: 22
Provided by: Lowe95
Learn more at: http://webpages.sou.edu
Category:

less

Transcript and Presenter's Notes

Title: Registry Analysis


1
Registry Analysis
  • What is it?
  • What does it contain?

2
Objectives
  • Logical and physical structure of the Registry
  • Format of Registry files
  • Examination of the Registry
  • Forensically important keys
  • Analyzing Registry information

3
The Registry
  • Hierarchal database
  • Maintains configuration settings
  • Applications
  • Hardware
  • Devices
  • Users

4
Registry Access
  • Regedit.exe A GUI interface to the Registry
  • Native to XP and above
  • NT and 2000 has regedit.exe but with limited
    capablities

5
Physical Structure
  • Binary files
  • Stored in RAM and hard drive
  • Limited data types

6
File Locations
7
Registry Data Types
Series of nested arrays designed to store a list
of resources
A list of resources used by a physical HW device
A list of HW resources used by a device driver
8
Logical Structure
  • Highest Level
  • My Computer
  • Contains Five Root Hives
  • Each Hive consists of
  • Keys
  • Each key has a set of
  • ltName Type Valuegt triples
  • Subkeys

9
Root Hives
  • HKEY_USERS
  • Contains all the actively loaded user profiles
    for the system
  • HKEY_CURRENT_USER
  • Is the active, loaded user profile currently
    logged on
  • HKEY_LOCAL_MACHINE
  • Contains configuration information for the system
    both HW and SW

10
Root Hives (contd)
  • HKEY_CURRENT_CONFIG
  • Contains the hardware profile the system uses at
    startup
  • HKEY_CLASSES_ROOT
  • Contains configuration information for which apps
    open which files

11
Five Root Hives
12
HKEY_USERSUser Profiles
13
HKEY_CURRENT_USERLogged on user profile
14
Current User One of those listed in HKEY_USERS
15
HKEY_LOCAL_MACHINEHW and SW Configs
16
HKEY_CURRENT_CONFIGStartup Profile
17
HKEY_CLASSES_ROOTApplication to File Mapping
This hive is subclassed to HKCU\Software\Classes
HKLM \Software\Classes
18
Registry Cell Types
  • Key cell
  • Key info, offsets to subkeys and LastWrite time
  • Value cell
  • Holds a value/name and its data
  • Subkey list cell
  • Series of subkey offsets
  • Value list cell
  • Series of offsets to value cells

19
Registry Structure
Keys
Subkeys
Type
Values
Data
20
Raw Registry File
Key Cell
Value Cell
21
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com