These registry paths are foundational for gathering initial forensic information on a Windows system.

Standard Registry Hives (Located in C:\\\\Windows\\\\System32\\\\Config)

  1. DEFAULT:
  2. SAM (Security Account Manager):
  3. SECURITY:
  4. SOFTWARE:
  5. SYSTEM:

User-Specific Hives

  1. NTUSER.DAT:
  2. USRCLASS.DAT:

Additional Forensic Hive

  1. Amcache.hve:

Registry Transaction Logs