Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Paperback (Print)
Not Available on


Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER — Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.

  • Named a 2011 Best Digital Forensics Book by InfoSec Reviews
  • Packed with real-world examples using freely available open source tools
  • Deep explanation and understanding of the Windows Registry – the most difficult part of Windows to analyze forensically
  • Includes a CD containing code and author-created tools discussed in the book
Read More Show Less

Editorial Reviews

From the Publisher
"As an experienced security architect-I’ve been reasonably familiar with the "windows registry" for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However, it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensic importance of these files."—Best Digital Forensics Book in InfoSecReviews Book Awards

"It is no exaggeration to say that nearly everything that happens on a Windows system involves the registry—which makes effective examination of the registry absolutely fundamental to good Windows forensics. By devoting a whole book to this critical Windows artifact, Harlan has delivered a much needed resource to everyone doing forensics investigations of Windows systems. What I appreciate about this book, however, is that it is much more than a mere compilation of registry keys important to forensics investigation. This is a book about how to examine the registry, and it is a good one."—Troy Larson, Principal Forensic Program Manager, Network Security Investigations, Microsoft

"Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case. Harlan Carvey steps the reader through critical analysis techniques recovering key evidence of activity of suspect user accounts or intrusion-based malware. Using his extensive experience and research, Harlan's case studies provide behind-the-scenes details that enable every analyst to utilize these techniques immediately in their own investigations. This book is a must have reference for current forensic knowledge of the Microsoft Registry Windows XP through Windows 7 and should become core knowledge for any serious digital forensic investigator."—Rob Lee, SANS Institute

"Useful to beginning and intermediate practitioners, but even advanced examiners may fi nd registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations…. Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read...."—Digital Forensics Magazine

"This guide to digital forensics on computers running the Microsoft Windows operating system provides detailed information on the analysis of the Windows registry to detect intrusion and document user actions. The work is divided into three sections beginning with an overview of the registry structure and following with a discussion of registry analysis tools and concluding with an in depth case study of a registry forensics project. Each section includes answers to frequently asked questions and a selection of references for further reading. Illustrations, code examples, tips and warning notes are provided throughout and an accompanying CD-ROM provides copies of registry analysis tools created by the author. Carvey is a computer forensics consultant."—Book News, Reference & Research

"As an experienced security architect I’ve been reasonably familiar with the ‘windows registry’ for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensics importance of these files….. An extremely useful book to a forensics investigator, even an experienced one. I would not hesitate in recommending this book to anyone…"—

Read More Show Less

Product Details

  • ISBN-13: 9781597495806
  • Publisher: Elsevier Science
  • Publication date: 2/7/2011
  • Pages: 248
  • Product dimensions: 7.40 (w) x 9.10 (h) x 0.80 (d)

Meet the Author

Harlan Carvey (CISSP) is a Vice President of Advanced Security Projects with Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure and “cloud computing” services, based in Miami, FL. Harlan is a key contributor to the Engagement Services practice, providing disk forensics analysis, consulting, and training services to both internal and external customers. Harlan has provided forensic analysis services for the hospitality industry, financial institutions, as well as federal government and law enforcement agencies. Harlan’s primary areas of interest include research and development of novel analysis solutions, with a focus on Windows platforms.
Harlan holds a bachelor’s degree in electrical engineering from the Virginia Military Institute and a master’s degree in the same discipline from the Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

Read More Show Less

Read an Excerpt

Windows Registry Forensics

Advanced Digital Forensic Analysis of the Windows Registry
By Harlan Carvey


Copyright © 2011 Elsevier, Inc.
All right reserved.

ISBN: 978-1-59749-581-3

Chapter One



• What Is "Registry Analysis"?

• What Is the Window Registry?

• Registry Structure


The Windows Registry is a core component of the Windows operating systems, and it maintains a considerable amount of configuration information about the system. In addition, the Registry maintains historical information about user activity; in order to provide the user with a "better", more personalized experience, the Registry maintains details about applications installed and opened, as well as window positions and sizes. This information is maintained within the Registry in a manner similar to a log file. By this, I mean that there's a great deal of time-stamped information maintained in the Registry, including, but not limited to:

• When a user opened an application or accessed a Control Panel applet

• The last time the system connected to a particular wireless access point

• When a graphic image viewing application was used to access a particular file

All of this information can be extremely valuable to a forensic analyst, particularly when attempting to establish a timeline of activity on a system. A wide range of cases would benefit greatly from information derived or extracted from the Registry if the analyst was aware of the information and how to best exploit or make use of it.

Information in the Registry can have a much greater effect on an examination than I think most analysts really realize. There are many Registry values that can have a significant impact on how the system behaves; for example, there is a Registry value that, on Windows XP and 2003 systems, tells the operating system to stop updating file's last access time so that whenever a file is opened (albeit nothing changed) for viewing or searching, the time stamp is not updated accordingly. And oh, yeah ... this is enabled by default on Vista, as well as Windows 2008 and Windows 7 systems. A few other examples of Registry values that can impact an examination include (but are not limited to) the following:

• Alter or disable File System Tunneling

• Modify System Crash Dump, Prefetcher, and System Restore Point behavior

• Clear the page file when the system is shut down

• Enable or disable Event log auditing

• Enable or disable the Windows firewall


"File system tunneling" refers to an operating system's ability to "hold onto" file system metadata for a short period of time. How this can affect an analyst's examination is that if a file is deleted and then another file created in relatively short order that reuses the directory entry for the deleted file, the second file will actually take on the metadata (time stamps) for the previous file. It turns out that this also works for file renaming operations, as well, according to Microsoft. In short, when a file is removed from a directory, either by deleting or by renaming the file, the metadata for that file is temporarily cached. If, within a predefined amount of time (15 s by default), another file is added to that directory with the same name, the cached information is reused. This capability is meant for compatibility with earlier DOS programs that require the functionality and would affect an examination by providing false information about the creation date of a file in an analyst's timeline. The file system tunneling functionality can be controlled or simply disabled through specific Registry values.

There are a number of other values that can have a significant impact (possibly detrimental) on what an analyst sees during disk and file system analysis. Some of these values do not actually exist within the Registry by default and therefore must be added, usually in accordance with a Microsoft Knowledge Base (KB) article. At the very least, understanding these values and how they affect the overall system can add context to what the analyst observes in other areas of their examination.


The Windows Registry contains a number of values that significantly impact system behavior. For example, an analyst may receive an image for analysis and determine that the Prefetch directory contains no Prefetch (*.pf ) files. Registry values of interest, in such a case, would include those that identify the operating system and version; by default, Windows XP, Vista, and Windows 7 will perform application prefetching (and generate *.pf files). However, Windows 2003 does not perform application prefetching (although it can be configured to do so) by default. The Prefetcher itself can also be disabled, per MS KB article 307498 [2]. This same value can be used to enable or disable application prefetching on Windows XP, Vista, and Windows 7 systems.

The purposes of this book are to draw back the veil of mystery that has been laid over the Registry, and to illustrate just how valuable a forensic resource, the Registry, can really be during malware, intrusion, or data breach examinations, to name just a few. The Windows Registry contains a great deal of extremely valuable information that can provide significant context to a wide range of investigations.

What Is "Registry Analysis"?

When examining an acquired image, an analyst will many times include "Registry analysis" as one of their analysis steps. You'll see this mentioned during initial calls, listed in reports, mentioned during final close-out of a project or analysis engagement, and discussed online. Most times, this will amount to opening a Registry hive file in a viewer application and looking at the contents of a couple of the more well-known Registry keys or locating a couple of values. Sometimes, the keys examined are pulled from the analyst's previous experience, and in other cases, they may be part of an analysis plan or standard operating procedure for the organization. This list may expand to a significant number of Registry keys, and be included in a checklist or spreadsheet.

However, does this really constitute "Registry analysis"? I mean ... really? When someone says "disk analysis," it usually constitutes much more than just looking at the disk itself, or just accessing the disk via the appropriate write-blocking hardware. Usually, the word analysis refers to (or infers) examining something from various angles and degrees, in an attempt to determine the context of the object of our attention in relation to other information or data from the same or other sources. The same holds true for the Windows Registry. There's much more to "Registry analysis" than simply looking at a couple of keys or values.

How does this approach differ from more "traditional" Registry analysis? The approach to Registry analysis has traditionally been one of looking at a specific key or at several specific values, and this approach has long been reflected in commercial tools. Commercial forensic analysis applications tend or attempt to represent the Registry in much the same manner as one would expect to see it on a live system (with obvious limitations, of course, all of which we will discuss later in this chapter and throughout the book), providing a layer of abstraction to the analyst through that representation. Looking at a specific key or value may answer a specific question for the analyst, but how often is that all we're really looking for? Registry keys and/or values may be pertinent in and of themselves, but more and more, they are simply part of the story, rather than being the entire story themselves. Don't misunderstand; there will be times when one Registry key or value is all you need. However, what I'm trying to convey here is that there is much more information and context available, so don't stop at just that key or value because you may think that's all you need, or that's all that you have available to you.

In short, "Registry analysis" can run across a spectrum of activities, from extracting specific key and/or value information to searching within the Registry and correlating data retrieved from different areas of the Registry. All of these activities can constitute the scope of "analysis," although both analysis and the examination itself may often benefit from something more. For example, what do certain Registry keys or values mean within the context of others? As we mentioned earlier in this chapter, a specific Registry value controls whether or not the operating system updates a file's last access times; so, how does this affect an analyst attempting to determine when a particular image file was viewed? If an analyst understands what information is maintained in the Registry, he/she will then be able to determine not only which user on the system viewed the image but also which application and when. Or, consider a flag value within a Registry value that determines whether or not a password is required for a user account? Is that flag value sufficient, or should the analyst check to see if the user account actually has a password (this is covered in detail in Chapter 3, "Case Studies: The System")?

Also, there may be far more information within the Windows Registry than meets the eye, particularly when the Registry is presented to the analyst via the abstraction layer of a viewing application. Much like files within a file system, Registry keys and values that are deleted do not simply disappear; as we'll see, the Registry files can contain significant information within the unallocated space of the files themselves.

Throughout the rest of this book, we're not going to be looking so much at this Registry key or that Registry value; rather, in most (albeit not all) instances, we'll be interested in examining the Registry as part of a postmortem analysis and as such, we'll use Registry analysis to help us determine not only the context of what we're looking at but also how that object of our attention plays into the overall context of our analysis. That context may be determined based on the analysis of other Registry keys and values, or it may be dependent upon other objects, such as file system metadata, Windows Event log records, entries in other logs, and so on.

Analysis Concepts

Before we talk about Registry analysis specifically, there are a few analysis concepts that we need to discuss that are pertinent to examinations as a whole. Keeping these concepts in mind can be extremely beneficial when performing digital analysis in general.

Locard's Exchange Principle

Dr. Edmund Locard was a French scientist, who formulated the basic forensic principle that every contact leaves a trace. This means that in the physical world, when two objects come into contact, some material is transferred from one to the other and vice versa. We can see this demonstrated all around us, every day ... let's say you get a little too close to a concrete stanchion while trying to parallel park your car. As the car scrapes along the stanchion, paint from the car body is left on the stanchion and concrete, and paint from the stanchion becomes embedded in the scrapes on the car.

Interestingly enough, the same holds true in the digital world. When malware infects a system, there is usually some means by which it arrives on the system, such as a browser "drive-by" infection via a network share, USB thumb drive, or an e-mail attachment. When an intruder accesses a system, there is some artifact such as a network connection or activity on the target system, and the target system will contain some information about the system from which the intruder originated. Some of this information may be extremely volatile, meaning that it only remains visible to the operating system (and hence, an analyst) for a short period of time. However, remnants of that artifact may persist for a considerable amount of time.


Almost any interaction with a Windows system, particularly through the Windows Explorer graphical interface, will leave a trace. These indications are not always in the Registry, and they may not persist for very long, but there will be something, somewhere. It's simply a matter of knowing what to look for and where, and having the right tools to gain access to, and understanding of how to correctly interpret the information.

The quote, "absence of evidence is not evidence of absence," is attributed to the astrophysicist Dr. Carl Sagan and can be applied to digital forensics, as well. Essentially, if an analyst understands the nature of a user's interaction with a Windows system, then the lack or absence of an artifact where one is expected to be is itself an artifact. During a recent examination, I was trying to determine a user's access to files on the system and could not find the RecentDocs (this key will be discussed in greater detail in Chapter 4, "Case Studies: Tracking User Activity") key within the user's NTUSER.dat hive file; RegRipper did not find it, and I could not locate the key manually. As it turns out, the user had run the "Window Washer" application, which reportedly clears the list of recently accessed documents. The time associated with the user launching the application (derived from the user's UserAssist key) corresponded to the LastWrite time on the RecentDocs parent key.


Excerpted from Windows Registry Forensics by Harlan Carvey Copyright © 2011 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Chapter 1. Registry Analysis Chapter 2. Tools Chapter 3. Case Studies: The System Chapter 4. Case Studies: Tracking User Activity

Read More Show Less

Customer Reviews

Average Rating 4.5
( 6 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 6 Customer Reviews
  • Posted February 29, 2012


    Are you interested in the forensic analysis of Windows systems? If you are, then this book is for you! Author Harlan Carvey, has done an outstanding job of writing a book that focuses on the Registry found on the Windows NT family of operating systems, from Windows XP, through Windows 2003, Vista, Windows 2008 and Windows 7. Author Carvey, begins by addressing the topic of Registry analysis overall and what goes into it. In addition, the author discusses a number of tools that are used in Registry analysis. He then shows you how various keys and values have had a significant impact on various examinations, and how they can be used in conjunction with other data to further your analysis, and allow you to succinctly achieve your goals. Finally, the author shows you how to track user activity, with detailed emphasis on regripper plug-ins, MRU lists, run, temporal proximity, USB devices, XPMode, time stamps, RecentDocs, DisableMRU, searches, ComDig32, historical data, shellbags, USRCLASS.dat, BagMRU Plugins, UserAssist, Vigenere encryption, run count, time references, XPMode and UserAssist, noninstrumentation, MuiCache, MuiCache key historical data, file associations, scenarios, Trojan defense, connecting to other systems and preserving privacy. The goal of this most excellent book, is to illustrate the immense value that can be derived through Registry analysis. Perhaps more importantly, the CD that accompanies this book, contains several tools that have executable versions (compiled with Perl2Exe), so that you do not have to install Perl to run the tools.

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted February 5, 2013


    Does the registry include wolf packs or other groups?

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted February 5, 2013

    To "question"

    If you want it to then yes. But please specify what type of clan you are

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted February 5, 2013

    Question for nationlal warriors thing

    Whats th about

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted March 31, 2011

    No text was provided for this review.

  • Anonymous

    Posted October 24, 2013

    No text was provided for this review.

Sort by: Showing all of 6 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)