User Profiles and the Windows Registry
GIAC Certified Forensic Examiner Objectives:
Analysis of User Communication
- The candidate will demonstrate an understanding of the forensic examination of user communication applications and methods, including host-based and mobile email applications, instant messaging, and other software and Internet-based user communication applications.
Windows Registry Artifact Analysis
- The candidate will demonstrate an understanding of the registry artifacts created by system and user activity.
Windows Registry Fundamentals
- The candidate will demonstrate an understanding of the structure and purpose of the Windows registry and the types of tools used to analyze and parse the data.
Overview
This lab is part of a series of lab exercises designed through a grant initiative by the Center for Systems Security and Information Assurance (CSSIA) and the Network Development Group (NDG) funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746.
The Windows Registry is a special database that stores low-level settings for the Microsoft Windows Operating Systems and applications that use the Windows Registry. Examples of data stored in the registry are settings and values for both hardware and software stored on Windows including application locations and other special configuration keys that hardware and software need in Windows. By the end of this lab, the student will capture the registry hives of the Windows operating system using a free, commercial tool called FTK Imager. Students will then analyze the registry hives using two open source tools: RegRipper and RegViewer.
OUTCOMES:
In this lab, you will learn to:
- Capture a live Windows XP registry
- Analyze the registry hives using RegViewer
- Analyze the registry hives using Regripper