Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry

4.3 6
by Harlan Carvey

View All Available Formats & Editions

Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER -- Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are


Harlan Carvey brings readers an advanced book on Windows Registry. The first book of its kind EVER -- Windows Registry Forensics provides the background of the Registry to help develop an understanding of the binary structure of Registry hive files. Approaches to live response and analysis are included, and tools and techniques for postmortem analysis are discussed at length. Tools and techniques will be presented that take the analyst beyond the current use of viewers and into real analysis of data contained in the Registry.

  • Named a 2011 Best Digital Forensics Book by InfoSec Reviews
  • Packed with real-world examples using freely available open source tools
  • Deep explanation and understanding of the Windows Registry – the most difficult part of Windows to analyze forensically
  • Includes a CD containing code and author-created tools discussed in the book

Editorial Reviews

From the Publisher

"As an experienced security architectI’ve been reasonably familiar with the "windows registry" for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However, it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensic importance of these files."--Best Digital Forensics Book in InfoSecReviews Book Awards

"It is no exaggeration to say that nearly everything that happens on a Windows system involves the registry—which makes effective examination of the registry absolutely fundamental to good Windows forensics. By devoting a whole book to this critical Windows artifact, Harlan has delivered a much needed resource to everyone doing forensics investigations of Windows systems. What I appreciate about this book, however, is that it is much more than a mere compilation of registry keys important to forensics investigation. This is a book about how to examine the registry, and it is a good one."--Troy Larson, Principal Forensic Program Manager, Network Security Investigations, Microsoft

"Windows Registry Forensics provides extensive proof that registry examination is critical to every digital forensic case. Harlan Carvey steps the reader through critical analysis techniques recovering key evidence of activity of suspect user accounts or intrusion-based malware. Using his extensive experience and research, Harlan's case studies provide behind-the-scenes details that enable every analyst to utilize these techniques immediately in their own investigations. This book is a must have reference for current forensic knowledge of the Microsoft Registry Windows XP through Windows 7 and should become core knowledge for any serious digital forensic investigator."--Rob Lee, SANS Institute

"Useful to beginning and intermediate practitioners, but even advanced examiners may fi nd registry information here that they were not previously aware of. Anyone working in digital forensics or incident response who has not made registry examination integral to their process must read and absorb this book. The information is vital to Windows examinations…. Windows Registry Forensics easily succeeds in its mission to convey the value of integrating registry examination into the forensic process. It provides valuable information relevant to a wide range of investigations. And Mr. Carvey’s conversational writing style makes the book easy to read...."--Digital Forensics Magazine

"This guide to digital forensics on computers running the Microsoft Windows operating system provides detailed information on the analysis of the Windows registry to detect intrusion and document user actions. The work is divided into three sections beginning with an overview of the registry structure and following with a discussion of registry analysis tools and concluding with an in depth case study of a registry forensics project. Each section includes answers to frequently asked questions and a selection of references for further reading. Illustrations, code examples, tips and warning notes are provided throughout and an accompanying CD-ROM provides copies of registry analysis tools created by the author. Carvey is a computer forensics consultant."--Book News, Reference & Research

"As an experienced security architect I’ve been reasonably familiar with the ‘windows registry’ for many years and have frequently used regedit to look at various keys and values (and have sometimes even taken the dangerous steps of changing values!). In my vast library I also have a number of books describing the registry, although I have to say they are somewhat ancient. However it was not until I read this book I really appreciated the vast amount of information contained in the various registry files. Indeed I was not aware of forensics importance of these files….. An extremely useful book to a forensics investigator, even an experienced one. I would not hesitate in recommending this book to anyone…"

Product Details

Elsevier Science
Publication date:
Sold by:
Barnes & Noble
Sales rank:
File size:
3 MB

Related Subjects

Read an Excerpt

Windows Registry Forensics

Advanced Digital Forensic Analysis of the Windows Registry
By Harlan Carvey


Copyright © 2011 Elsevier, Inc.
All right reserved.

ISBN: 978-1-59749-581-3

Chapter One



• What Is "Registry Analysis"?

• What Is the Window Registry?

• Registry Structure


The Windows Registry is a core component of the Windows operating systems, and it maintains a considerable amount of configuration information about the system. In addition, the Registry maintains historical information about user activity; in order to provide the user with a "better", more personalized experience, the Registry maintains details about applications installed and opened, as well as window positions and sizes. This information is maintained within the Registry in a manner similar to a log file. By this, I mean that there's a great deal of time-stamped information maintained in the Registry, including, but not limited to:

• When a user opened an application or accessed a Control Panel applet

• The last time the system connected to a particular wireless access point

• When a graphic image viewing application was used to access a particular file

All of this information can be extremely valuable to a forensic analyst, particularly when attempting to establish a timeline of activity on a system. A wide range of cases would benefit greatly from information derived or extracted from the Registry if the analyst was aware of the information and how to best exploit or make use of it.

Information in the Registry can have a much greater effect on an examination than I think most analysts really realize. There are many Registry values that can have a significant impact on how the system behaves; for example, there is a Registry value that, on Windows XP and 2003 systems, tells the operating system to stop updating file's last access time so that whenever a file is opened (albeit nothing changed) for viewing or searching, the time stamp is not updated accordingly. And oh, yeah ... this is enabled by default on Vista, as well as Windows 2008 and Windows 7 systems. A few other examples of Registry values that can impact an examination include (but are not limited to) the following:

• Alter or disable File System Tunneling

• Modify System Crash Dump, Prefetcher, and System Restore Point behavior

• Clear the page file when the system is shut down

• Enable or disable Event log auditing

• Enable or disable the Windows firewall


"File system tunneling" refers to an operating system's ability to "hold onto" file system metadata for a short period of time. How this can affect an analyst's examination is that if a file is deleted and then another file created in relatively short order that reuses the directory entry for the deleted file, the second file will actually take on the metadata (time stamps) for the previous file. It turns out that this also works for file renaming operations, as well, according to Microsoft. In short, when a file is removed from a directory, either by deleting or by renaming the file, the metadata for that file is temporarily cached. If, within a predefined amount of time (15 s by default), another file is added to that directory with the same name, the cached information is reused. This capability is meant for compatibility with earlier DOS programs that require the functionality and would affect an examination by providing false information about the creation date of a file in an analyst's timeline. The file system tunneling functionality can be controlled or simply disabled through specific Registry values.

There are a number of other values that can have a significant impact (possibly detrimental) on what an analyst sees during disk and file system analysis. Some of these values do not actually exist within the Registry by default and therefore must be added, usually in accordance with a Microsoft Knowledge Base (KB) article. At the very least, understanding these values and how they affect the overall system can add context to what the analyst observes in other areas of their examination.


The Windows Registry contains a number of values that significantly impact system behavior. For example, an analyst may receive an image for analysis and determine that the Prefetch directory contains no Prefetch (*.pf ) files. Registry values of interest, in such a case, would include those that identify the operating system and version; by default, Windows XP, Vista, and Windows 7 will perform application prefetching (and generate *.pf files). However, Windows 2003 does not perform application prefetching (although it can be configured to do so) by default. The Prefetcher itself can also be disabled, per MS KB article 307498 [2]. This same value can be used to enable or disable application prefetching on Windows XP, Vista, and Windows 7 systems.

The purposes of this book are to draw back the veil of mystery that has been laid over the Registry, and to illustrate just how valuable a forensic resource, the Registry, can really be during malware, intrusion, or data breach examinations, to name just a few. The Windows Registry contains a great deal of extremely valuable information that can provide significant context to a wide range of investigations.

What Is "Registry Analysis"?

When examining an acquired image, an analyst will many times include "Registry analysis" as one of their analysis steps. You'll see this mentioned during initial calls, listed in reports, mentioned during final close-out of a project or analysis engagement, and discussed online. Most times, this will amount to opening a Registry hive file in a viewer application and looking at the contents of a couple of the more well-known Registry keys or locating a couple of values. Sometimes, the keys examined are pulled from the analyst's previous experience, and in other cases, they may be part of an analysis plan or standard operating procedure for the organization. This list may expand to a significant number of Registry keys, and be included in a checklist or spreadsheet.

However, does this really constitute "Registry analysis"? I mean ... really? When someone says "disk analysis," it usually constitutes much more than just looking at the disk itself, or just accessing the disk via the appropriate write-blocking hardware. Usually, the word analysis refers to (or infers) examining something from various angles and degrees, in an attempt to determine the context of the object of our attention in relation to other information or data from the same or other sources. The same holds true for the Windows Registry. There's much more to "Registry analysis" than simply looking at a couple of keys or values.

How does this approach differ from more "traditional" Registry analysis? The approach to Registry analysis has traditionally been one of looking at a specific key or at several specific values, and this approach has long been reflected in commercial tools. Commercial forensic analysis applications tend or attempt to represent the Registry in much the same manner as one would expect to see it on a live system (with obvious limitations, of course, all of which we will discuss later in this chapter and throughout the book), providing a layer of abstraction to the analyst through that representation. Looking at a specific key or value may answer a specific question for the analyst, but how often is that all we're really looking for? Registry keys and/or values may be pertinent in and of themselves, but more and more, they are simply part of the story, rather than being the entire story themselves. Don't misunderstand; there will be times when one Registry key or value is all you need. However, what I'm trying to convey here is that there is much more information and context available, so don't stop at just that key or value because you may think that's all you need, or that's all that you have available to you.

In short, "Registry analysis" can run across a spectrum of activities, from extracting specific key and/or value information to searching within the Registry and correlating data retrieved from different areas of the Registry. All of these activities can constitute the scope of "analysis," although both analysis and the examination itself may often benefit from something more. For example, what do certain Registry keys or values mean within the context of others? As we mentioned earlier in this chapter, a specific Registry value controls whether or not the operating system updates a file's last access times; so, how does this affect an analyst attempting to determine when a particular image file was viewed? If an analyst understands what information is maintained in the Registry, he/she will then be able to determine not only which user on the system viewed the image but also which application and when. Or, consider a flag value within a Registry value that determines whether or not a password is required for a user account? Is that flag value sufficient, or should the analyst check to see if the user account actually has a password (this is covered in detail in Chapter 3, "Case Studies: The System")?

Also, there may be far more information within the Windows Registry than meets the eye, particularly when the Registry is presented to the analyst via the abstraction layer of a viewing application. Much like files within a file system, Registry keys and values that are deleted do not simply disappear; as we'll see, the Registry files can contain significant information within the unallocated space of the files themselves.

Throughout the rest of this book, we're not going to be looking so much at this Registry key or that Registry value; rather, in most (albeit not all) instances, we'll be interested in examining the Registry as part of a postmortem analysis and as such, we'll use Registry analysis to help us determine not only the context of what we're looking at but also how that object of our attention plays into the overall context of our analysis. That context may be determined based on the analysis of other Registry keys and values, or it may be dependent upon other objects, such as file system metadata, Windows Event log records, entries in other logs, and so on.

Analysis Concepts

Before we talk about Registry analysis specifically, there are a few analysis concepts that we need to discuss that are pertinent to examinations as a whole. Keeping these concepts in mind can be extremely beneficial when performing digital analysis in general.

Locard's Exchange Principle

Dr. Edmund Locard was a French scientist, who formulated the basic forensic principle that every contact leaves a trace. This means that in the physical world, when two objects come into contact, some material is transferred from one to the other and vice versa. We can see this demonstrated all around us, every day ... let's say you get a little too close to a concrete stanchion while trying to parallel park your car. As the car scrapes along the stanchion, paint from the car body is left on the stanchion and concrete, and paint from the stanchion becomes embedded in the scrapes on the car.

Interestingly enough, the same holds true in the digital world. When malware infects a system, there is usually some means by which it arrives on the system, such as a browser "drive-by" infection via a network share, USB thumb drive, or an e-mail attachment. When an intruder accesses a system, there is some artifact such as a network connection or activity on the target system, and the target system will contain some information about the system from which the intruder originated. Some of this information may be extremely volatile, meaning that it only remains visible to the operating system (and hence, an analyst) for a short period of time. However, remnants of that artifact may persist for a considerable amount of time.


Almost any interaction with a Windows system, particularly through the Windows Explorer graphical interface, will leave a trace. These indications are not always in the Registry, and they may not persist for very long, but there will be something, somewhere. It's simply a matter of knowing what to look for and where, and having the right tools to gain access to, and understanding of how to correctly interpret the information.

The quote, "absence of evidence is not evidence of absence," is attributed to the astrophysicist Dr. Carl Sagan and can be applied to digital forensics, as well. Essentially, if an analyst understands the nature of a user's interaction with a Windows system, then the lack or absence of an artifact where one is expected to be is itself an artifact. During a recent examination, I was trying to determine a user's access to files on the system and could not find the RecentDocs (this key will be discussed in greater detail in Chapter 4, "Case Studies: Tracking User Activity") key within the user's NTUSER.dat hive file; RegRipper did not find it, and I could not locate the key manually. As it turns out, the user had run the "Window Washer" application, which reportedly clears the list of recently accessed documents. The time associated with the user launching the application (derived from the user's UserAssist key) corresponded to the LastWrite time on the RecentDocs parent key.


Excerpted from Windows Registry Forensics by Harlan Carvey Copyright © 2011 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Meet the Author

Harlan Carvey is a senior information security researcher with the Dell SecureWorks Counter Threat Unit - Special Ops (CTU-SO) team, where his efforts are focused on targeted threat hunting, response, and research. He continues to maintain a passion and focus in analyzing Windows systems, and in particular, the Windows Registry.

Harlan is an accomplished author, public speaker, and open source tool author. He dabbles in other activities, including home brewing and horseback riding. As a result, he has become quite adept at backing up and parking a horse trailer.

Harlan earned a bachelor’s degree in electrical engineering from the Virginia Military Institute, and a master’s degree in the same discipline from the Naval Postgraduate School. He served in the United States Marine Corps, achieving the rank of captain before departing the service. He resides in Northern Virginia with his family.

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry 5 out of 5 based on 0 ratings. 3 reviews.
Are you interested in the forensic analysis of Windows systems? If you are, then this book is for you! Author Harlan Carvey, has done an outstanding job of writing a book that focuses on the Registry found on the Windows NT family of operating systems, from Windows XP, through Windows 2003, Vista, Windows 2008 and Windows 7. Author Carvey, begins by addressing the topic of Registry analysis overall and what goes into it. In addition, the author discusses a number of tools that are used in Registry analysis. He then shows you how various keys and values have had a significant impact on various examinations, and how they can be used in conjunction with other data to further your analysis, and allow you to succinctly achieve your goals. Finally, the author shows you how to track user activity, with detailed emphasis on regripper plug-ins, MRU lists, run, temporal proximity, USB devices, XPMode, time stamps, RecentDocs, DisableMRU, searches, ComDig32, historical data, shellbags, USRCLASS.dat, BagMRU Plugins, UserAssist, Vigenere encryption, run count, time references, XPMode and UserAssist, noninstrumentation, MuiCache, MuiCache key historical data, file associations, scenarios, Trojan defense, connecting to other systems and preserving privacy. The goal of this most excellent book, is to illustrate the immense value that can be derived through Registry analysis. Perhaps more importantly, the CD that accompanies this book, contains several tools that have executable versions (compiled with Perl2Exe), so that you do not have to install Perl to run the tools.
Anonymous More than 1 year ago
Anonymous More than 1 year ago