These registry paths are foundational for gathering initial forensic information on a Windows system.

• System Information:
  • OS Version: Retrieve the operating system version from the registry key SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion.
  • Current Control Set: The active system configuration is found under SYSTEM\\CurrentControlSet, while SYSTEM\\ControlSet001 and SYSTEM\\ControlSet002 often represent the main and last good configurations. The SYSTEM\\Select\\Current and SYSTEM\\Select\\LastKnownGood values indicate the control set in use.
• Computer Name:
  • Located at SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName, this helps confirm the identity of the machine under analysis.
• Time Zone Information:
  • For time accuracy, use SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation, critical for aligning event timelines, particularly when timestamps vary between UTC and the local time zone.
• Network Interfaces and History:
  • Current Network Interfaces: Found under SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces, showing configuration details like IP addresses and DNS servers.
  • Past Networks: Prior connections are stored in SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Unmanaged and Managed, including the last connection time.
• Autostart Programs (Autoruns):
  • Programs set to run at startup are found in registry keys like NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, RunOnce, and SYSTEM\\CurrentControlSet\\Services, where the Start key value of 0x02 signifies a boot-start service.
• User Account Information:
  • Located in the SAM hive at SAM\\Domains\\Account\\Users, this includes user RIDs, login attempts, last login times, password changes, and group memberships, essential for user activity analysis.

Standard Registry Hives (Located in C:\\\\Windows\\\\System32\\\\Config)

1. DEFAULT:
   • Purpose: Stores default user settings.
   • Location: Mounted on HKEY_USERS\\\\DEFAULT.
   • Typical Use: Provides system-wide default settings that apply before any specific user settings are applied.
2. SAM (Security Account Manager):
   • Purpose: Contains user account information, including passwords, and group memberships.
   • Location: Mounted on HKEY_LOCAL_MACHINE\\\\SAM.
   • Typical Use: Key source for examining user account details and login information.
3. SECURITY:
   • Purpose: Manages system security settings and policies.
   • Location: Mounted on HKEY_LOCAL_MACHINE\\\\Security.
   • Typical Use: Often used in forensic analysis to retrieve system security-related data, including security policies.
4. SOFTWARE:
   • Purpose: Holds information about installed software and system configurations.
   • Location: Mounted on HKEY_LOCAL_MACHINE\\\\Software.
   • Typical Use: Essential for determining installed programs, licensing details, and configuration settings.
5. SYSTEM:
   • Purpose: Contains system-related configurations, including hardware and startup settings.
   • Location: Mounted on HKEY_LOCAL_MACHINE\\\\System.
   • Typical Use: Critical in analyzing system configuration, control sets, and startup settings.

User-Specific Hives

1. NTUSER.DAT:
   • Purpose: Stores individual user settings, preferences, and configurations.
   • Location: Found in the user profile directory, C:\\\\Users\\\\<username>\\\\, and mounted on HKEY_CURRENT_USER when the user logs in.
   • Typical Use: Contains user-specific configurations, making it crucial in analyzing a particular user’s environment and activity.
2. USRCLASS.DAT:
   • Purpose: Manages user-specific settings for file associations and classes.
   • Location: Found in C:\\\\Users\\\\<username>\\\\AppData\\\\Local\\\\Microsoft\\\\Windows.
   • Typical Use: Accessed under HKEY_CURRENT_USER\\\\Software\\\\CLASSES, primarily for tracking application-specific settings within a user’s environment.

Additional Forensic Hive

1. Amcache.hve:
   • Purpose: Stores data on recently executed programs and files, including metadata.
   • Location: Found at C:\\\\Windows\\\\AppCompat\\\\Programs\\\\Amcache.hve.
   • Typical Use: Valuable for forensic analysis to trace program execution history and application metadata on a machine.

Registry Transaction Logs