These registry paths are foundational for gathering initial forensic information on a Windows system.
- System Information:
- OS Version: Retrieve the operating system version from the registry key
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
.
- Current Control Set: The active system configuration is found under
SYSTEM\\CurrentControlSet
, while SYSTEM\\ControlSet001
and SYSTEM\\ControlSet002
often represent the main and last good configurations. The SYSTEM\\Select\\Current
and SYSTEM\\Select\\LastKnownGood
values indicate the control set in use.
- Computer Name:
- Located at
SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ComputerName
, this helps confirm the identity of the machine under analysis.
- Time Zone Information:
- For time accuracy, use
SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation
, critical for aligning event timelines, particularly when timestamps vary between UTC and the local time zone.
- Network Interfaces and History:
- Current Network Interfaces: Found under
SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces
, showing configuration details like IP addresses and DNS servers.
- Past Networks: Prior connections are stored in
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Signatures\\Unmanaged
and Managed
, including the last connection time.
- Autostart Programs (Autoruns):
- Programs set to run at startup are found in registry keys like
NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
, RunOnce
, and SYSTEM\\CurrentControlSet\\Services
, where the Start key value of 0x02 signifies a boot-start service.
- User Account Information:
- Located in the SAM hive at
SAM\\Domains\\Account\\Users
, this includes user RIDs, login attempts, last login times, password changes, and group memberships, essential for user activity analysis.
Standard Registry Hives (Located in C:\\\\Windows\\\\System32\\\\Config
)
- DEFAULT:
- Purpose: Stores default user settings.
- Location: Mounted on
HKEY_USERS\\\\DEFAULT
.
- Typical Use: Provides system-wide default settings that apply before any specific user settings are applied.
- SAM (Security Account Manager):
- Purpose: Contains user account information, including passwords, and group memberships.
- Location: Mounted on
HKEY_LOCAL_MACHINE\\\\SAM
.
- Typical Use: Key source for examining user account details and login information.
- SECURITY:
- Purpose: Manages system security settings and policies.
- Location: Mounted on
HKEY_LOCAL_MACHINE\\\\Security
.
- Typical Use: Often used in forensic analysis to retrieve system security-related data, including security policies.
- SOFTWARE:
- Purpose: Holds information about installed software and system configurations.
- Location: Mounted on
HKEY_LOCAL_MACHINE\\\\Software
.
- Typical Use: Essential for determining installed programs, licensing details, and configuration settings.
- SYSTEM:
- Purpose: Contains system-related configurations, including hardware and startup settings.
- Location: Mounted on
HKEY_LOCAL_MACHINE\\\\System
.
- Typical Use: Critical in analyzing system configuration, control sets, and startup settings.
User-Specific Hives
- NTUSER.DAT:
- Purpose: Stores individual user settings, preferences, and configurations.
- Location: Found in the user profile directory,
C:\\\\Users\\\\<username>\\\\
, and mounted on HKEY_CURRENT_USER
when the user logs in.
- Typical Use: Contains user-specific configurations, making it crucial in analyzing a particular user’s environment and activity.
- USRCLASS.DAT:
- Purpose: Manages user-specific settings for file associations and classes.
- Location: Found in
C:\\\\Users\\\\<username>\\\\AppData\\\\Local\\\\Microsoft\\\\Windows
.
- Typical Use: Accessed under
HKEY_CURRENT_USER\\\\Software\\\\CLASSES
, primarily for tracking application-specific settings within a user’s environment.
Additional Forensic Hive
- Amcache.hve:
- Purpose: Stores data on recently executed programs and files, including metadata.
- Location: Found at
C:\\\\Windows\\\\AppCompat\\\\Programs\\\\Amcache.hve
.
- Typical Use: Valuable for forensic analysis to trace program execution history and application metadata on a machine.
Registry Transaction Logs