Windows Registry

In this lab, students will analyze the Windows registry. The Windows registry is a database which holds user and computer settings critical to the operation of the PC. One of the tools used in this lab is the Windows Registry Recovery (WRR), which is able to parse a registry hive into more easily readable values so in analyst can easily discern various registry settings.

Overview

The Windows registry is an extensive database of user and application settings on a Windows system. The Windows registry can be a treasure trove of information which can help an analyst or a forensic examiner determine many things about the user’s operating systems. Someone performing malware analysis on a compromised machine is also interested in registry settings because attackers can set things to start at startup by using certain registry keys.

OUTCOMES

In this lab, you will learn to:

Capture a live Windows registry
Analyze the Windows registry with regedit
Analyze a FTK image of the Windows registry with Windows Registry Recovery

Courses

Cybersecurity Attack and Defend Skill Lab

Key terms and descriptions

Registry

A database within the Windows operating system that records settings related on the machine’s users, installed programs, and other system settings.

regedit

A tool built into the Windows operating system that will allow you to view the registry hives.

SAM

The Security Accounts Manager file of Windows.

SYSTEM

A Windows file that has information about computer profile settings, including services.

FTK Imager

A free program that can be used to create a forensic image or extract the registry.