registry analysis what is it? what does it contain?

Report

Tags:

Post on 19-Dec-2015

228 Views

Category:

Documents

2 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Registry Analysis

What is it?

What does it contain?

Objectives

• Logical and physical structure of the Registry

• Format of Registry files

• Examination of the Registry

• Forensically important keys

• Analyzing Registry information

The Registry

• Hierarchal database

• Maintains configuration settings– Applications– Hardware– Devices– Users

Registry Access

• Regedit.exe – A “GUI” interface to the Registry

• Native to XP and above

• NT and 2000 has regedit.exe but with limited capablities

Physical Structure

• Binary files

• Stored in RAM and hard drive

• Limited data types

File Locations

Registry Data Types

Series of nested arrays designed to store a list of resources

A list of resources used by a physical HW device

A list of HW resources used by a device driver

Logical Structure

• Highest Level• My Computer

• Contains Five Root Hives

• Each Hive consists of• Keys

• Each key has a set of • <Name Type Value> triples

• Subkeys

Root Hives

• HKEY_USERS• Contains all the actively loaded user profiles for the

system

• HKEY_CURRENT_USER• Is the active, loaded user profile currently logged on

• HKEY_LOCAL_MACHINE• Contains configuration information for the system

both HW and SW

Root Hives (cont’d)

• HKEY_CURRENT_CONFIG• Contains the hardware profile the system uses at

startup

• HKEY_CLASSES_ROOT• Contains configuration information for which apps

open which files

Five Root Hives

HKEY_USERSUser Profiles

HKEY_CURRENT_USERLogged on user profile

Current User One of those listed in HKEY_USERS

HKEY_LOCAL_MACHINEHW and SW Configs

HKEY_CURRENT_CONFIGStartup Profile

HKEY_CLASSES_ROOTApplication to File Mapping

This hive is subclassed to HKCU\Software\ClassesHKLM \Software\Classes

Registry Cell Types

• Key cell• Key info, offsets to subkeys and LastWrite time

• Value cell• Holds a value/name and its data

• Subkey list cell• Series of subkey offsets

• Value list cell• Series of offsets to value cells

Registry StructureKeys Subkeys Values Type Data

Raw Registry File

Key Cell

Value Cell

top related

top 10 reasons to buy your .tel domain - europe registry ·...
Documents
what is the duke registry duke registry for autism ......the...
Documents
calculus what is it? what good is it? what is it? what good...
Documents
mmf reference model figures. pdes/step registry...
Documents
[kevin’s attic for security research] windows registry...
Documents
dns registries. overview what is a dns registry? –dns...
Documents
doing it platform - registry of interpreters for the deaf
Documents
gepir what is it? how does it work? welcome! this is a short...
Documents
registry participation 101 - wellbe inc. · registry...
Documents
cancer registry follow-up how we do it
Documents
using srs web services delaware’s experience. what is srs?...
Documents
national registry emt exam study guide · pdf filenational...
Documents
a national mortgage registry: why we need it, and how...
Documents
copertina eng rilegata6 8 12 20 24 28 contents 8.it registry...
Documents
the aaaai quality clinical data registry: what the office...
Documents
“equilibrium” what does it mean? what word does it...
Documents
what is a central cancer registry? a
Documents
us zika pregnancy registry - what parents need to knocdc’s...
Documents
us zika pregnancy registry; what pregnant women need to...
Documents
what is it and why is it important?. what is it? what was...
Documents