Hello, my name is Denise Duffy. Welcome to Windows Registry Forensics. Today, we're going to take a in-depth look at the forensic artifacts contained within the Windows Registry and how this information can relate to your forensic investigations. A little bit about my background, I'm a computer forensic examiner. I teach both digital and mobile forensics. I've retired from a 25-year career in law enforcement, and I've worked as an examiner both in the private and public sector. Next slide. Today, we're going to take an in-depth look at the Registry and the artifacts contained within the Registry. The goals of this course. We want to talk about understanding the purpose and structure of the Registry files. We want to be able to identify and extract important data from both a live and a non-live Registry. We want to be able to have the ability to interpret that data that we've extracted. The Registry is considered a central nervous system of a computer. It's like a great administrative assistant. It knows your desktop settings, it understands your preferences, what you like to run in startup versus with the system likes to run up startup. It is very good at what it does. We also want to understand how to properly interpret and understand the data contained within the Registry, and we also want to understand how the data gets created. What happens to cause these values to be created inside the Registry? How do we interpret that? How do we explain that to an attorney or a civilian in a civil court or a judge in a court of law? Next slide. At the conclusion of this course, of course, we want you to be able to find what the Windows Registry is. We want you to be able to locate the files within the computer system on both live and non-live Registry, meaning eight-bit stream copy or an image as more commonly referred to. We want you to be able to examine the Registry and locate the data that's important to your investigation. We want you to understand what is normal to see you in the Registry and what would be abnormal like if a key were missing or data was missing or something wasn't quite where it was supposed to be, we want you to be able to recognize that because that, in itself, may be evidence. What is the Windows Registry and why is it important to forensic examiners? Why do we care about this Windows Registry? Well, one of the most important reasons we care is that it keeps track of settings for both the users and the system, it keeps track of historical information. You may be able to see programs within the Registry that no longer reside on the system, programs that were installed at one time that may be important to your case, that may not be important in your case. You may be able to see USB devices that were attached at one time that are no longer attached to the system that can be important to your case. It tracks settings for both the user and the system. It also provides an infinite amount of evidence and it's often an overlooked resource when it comes to forensic examinations. What is the Windows Registry? What is the definition of it? Well, Microsoft, you can read it here, calls it the central hierarchical database that's designed to store information that is necessary to configure the system for one or more users, applications, and hardware devices. What does all this mean to us? Well, it's hierarchical. In other words, it looks more like your Windows File Explorer, where you're going to see directories and subdirectories, and maybe more subdirectories and then files within those subdirectories. It's a hierarchical database and it's laid out that way as opposed to a relational database like an SQL database. It replaces the old ini configuration files that you saw back in Windows 3x. If you go back even further to DOS, it replaces the autoexec.bat and the config.sys. As Windows became more and more complicated and more and more features were added, it needed more and more ways to track and handle this type of stuff. Why is the Windows Registry important? Like I've said before, the Registry is perhaps the most overlooked treasure trove of forensic artifacts on a Windows system. I truly believe that. It is a great source of evidence and supporting evidence and it's going to be useful in validating your findings throughout your investigation. One of the first things I do when I do a computer examination is I determine the time zone of my suspect's computer and that is done through the Registry. Another very important thing you want to do is you want to determine what type of operating system you're dealing with, whether it's Windows 7, Windows 10, Windows 8, whatever it is, that's going to greatly impact how you do your investigation and what artifacts you're going to look for and where they're going to be located. Also, you want to find out that OS installed date. Was this something that was recently installed? Is somebody trying to cover up evidence by re-installing Windows? All these things could be of great importance and the answers to all of these things are in the Registry. What can we find in the Registry? Well, the artifacts contained in the Registry can be broken down into three basic groups. We have user specific information, system information, and application specific information. We're going to talk about user information. We may be talking about desktop preferences, remote desktop. We could be talking about MRUs, what applications as a user recently used? MRU stands for most recently used. What has the user typed into the search bar? What are the registered owner's details? We're talking about system-specific information, we could be talking about computer name, last shutdown time, Wi-Fi information, file transfer information, remote desktop information. We'll look in application specific information. We can be talking about what types of browsers are installed on the system. What type of default download folders for these browsers? Where the search terms are kept? If we have peer-to-peer information on there, there's also other things we could find in a peer-to-peer located in the Registry. Like I've alluded to before, it does act as a log file where it's going to track historical information as well as information as it happens. What type of case you are investigating will determine the type of information you're going to be looking for. Now, that's true no matter what you're talking about, whether we're talking about the Registry or we're talking about the entire computer exam. It is going to be case-specific. If I'm doing a intellectual property theft case, I may care about remote desktop connections. If I'm thinking it was an insider job, I may care about USB connections. I may care about private email addresses. I may care about file transfers. If I'm doing a child exploitation case, I'm going to care about search terms used over the Internet. I'm going to look at a lot of Internet browser history. I'm going to be concerned with temporary Internet files, Internet cache, thumbnails, these types of things. If you were doing incident response case, again, could still be considered a remote desktop might be an issue. You'd want to look at Wi-Fi information access points. You might look at the run key. Knowing what type of case you're looking for, knowing what type of information you can find in the Registry which may relate to these cases is extremely important. Then we have to know where in the Registry we can find that information. Once we find that information, we must know how to interpret it and how to explain to somebody how it got there. In our next section, we're going to take a look at the structure of the Windows Registry.
