Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (20 chapters)
Practical Windows Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface

The registry structure


The registry has a specific structure, which is divided into key and value. Like the directory structure, main root keys represent the root directory, sub-keys represent the sub folders, and values represent the files. Figure 1 depicts the registry structure opened from Windows native tool "registry editor". This tool can be opened in editable mode by typing regedit.exe in Run.

The items in the round-edged rectangle are the root keys, while the items in the rectangle below it are the sub-keys. The items inside the oval are the values of the registry. Each value has these three entries:

  • Name

  • Type

  • Data

To access a specific value, the user needs to know the path to this value. The path can be found in the tail of the regedit window. In our example, the path is Computer\HKEY_CURRENT_USER\Environment:

Figure1: The main components of the registry

Root keys

The Windows system, in this case Windows 8.1, has five root keys. Each root key stores different information and settings about...