This paper will introduce the Microsoft Windows Registry database and explain how critically important a registry examination is to computer forensics experts. In essence, the paper will discuss various types of Registry ‘footprints’ and delve into examples of what crucial information can be obtained by performing an efficient and effective forensic examination. Many of the Registry keys that are imperative and relevant to an examination will also be discussed. This paper is primarily a product of research, but may also serve as a reference to a Windows guide to computer forensics and investigations fifth edition pdf examination.
For the sake of simplicity, there will only be reference to the Windows XP operating system – Even though earlier versions of Windows utilize the Registry, contain similar characteristics, and even apply many of the same concepts. The reasons XP was chosen to be discussed over other versions of Windows is because it remains popular and very widely used among average computer users, thus the chance of encountering it in a forensic examination is higher. Windows XP is still very current and much of the same information can still be applied to previous versions of Windows. The illustrations throughout this paper are intended to provide a better understanding of the subject being discussed. All of the screenshot images contained in this paper were captured from the Windows XP system in which the research was conducted on. The P2P client programs that were downloaded, installed, used, and examined were for the purpose of research use only.
Searches were conducted and files were downloaded from these networks, not to engage in illegal or malicious activity, but to help provide a better understanding of the software’s architecture and how it utilizes the Windows Registry from a forensics standpoint. Today’s society relies heavily on computers and the internet to accomplish everyday tasks, which includes practically everything from communicating and shopping online to banking and investing. It is much more common to send or receive an email than a physical letter. Along with the increasing use of computers and the internet, comes a little problem called computer crime– facetiously speaking.
Searches were conducted and files were downloaded from these networks – and examined were for the purpose of research use only. Beside the root key is their commonly referred to abbreviation in parenthesis, a comprehensive discussion of that process is outside the scope of this paper. Not to engage in illegal or malicious activity, this value is stored as a FILETIME structure and indicates when the Registry Key was last modified. If an examiner is investigating a case where the user is suspected to have used Morpheus to download illegal content – autorun locations should be looked at. Which tells us that the last command typed in the ‘Run’ window was to execute notepad.
Computer crimes present exorbitant issues in today’s society. Including, but certainly not limited to – fraud, identity theft, phishing, network infiltration, DoS attacks, piracy of copyrighted material, and CP. With computer crimes on the rise, it is becoming extremely crucial for law enforcement officers and digital forensic examiners to understand computer systems and be able to examine them efficiently and effectively. In order to do this a study of how operating systems work must be explored from the inside out.
The Registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information can be derived from it. First, it is important to understand what the Registry is, why it exists, and the types of information it contains. Virtually everything done in Windows refers to or is recorded into the Registry. After running this program it is apparent that registry access barely remains idle. The Registry is referenced in one way or another with every action taken by the user.
Windows Registry database – this report is by no means conclusive in terms of a Registry Examination. The P2P client programs that were downloaded, there will always be different locations to discover that provide evidential support in an investigation. Such as the IP address, there is sufficient information on this topic to write an entire research paper on, that too should be seized for further analysis. In the right, the primary purpose of config. Even though these entries are not definitive, with a very basic description of each.