Forensic Analysis Windows XP Registry
Forensic Analysis Windows XP Registry
Forensic Analysis Windows XP Registry
The default Windows Registry Editor can be opened by typing regedit in the RUN window.
The registry can be seen as one unified “file system”. The left hand pane (also known as the Key Pane) an organized listing
of what appear to be folders. The five most hierarchal folders are called “hives” and begin with “HKEY” (an abbreviation for
Handle to a key). Although five hives can be seen, only two of these are actually “real”, HKEY_USERS (HKU) and
HKEY_LOCAL_MACHINE (HKLM). The other three are shortcuts of two branches within one of the two hives. Each of these
five hives is composed of keys, which contain values and subkeys.
Keys: Registry keys are similar to folders – in addition to values; each key can contain subkeys, which may contain further
subkeys, and so on. Keys are referenced with syntax similar to Windows’ path names, using backslashes to indicate levels
of Hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows.
Values: Values are the names of certain items within a key, which uniquely identify specific values pertaining to the
operating system, or to applications that depend upon that value.
Type: Each value’s type determines the type of data that it contains. It is like the file extension in Windows Explorer.
Data: Each value can be empty or null or can contain data. The data usually corresponds to the type, except that binary
values can contain strings or anything else for the matter.
Below are listed the five hierarchal hives seen in the above figure, with very basic description of the each.
1. HKEY_CLASSES_ROOT (HKCR) : HKCR contains two types of settings. The first is the file associations that
associate different types of files with the programs that can open, print, and edit them. The second is class registrations for
Component Object Model (COM – which is a Microsoft centric interface standard for software componentry) objects. This
root key enables you to change a lot of the operating system’s behavior.
2. HKEY_CURRENT_USER (HKCU) :HKCU contains the console user’s per-user settings. This root key is a link to
HKU\SID, where SID in the console user’s security identifier. This branch includes environment variables, desktop settings,
network configurations, printers, and application preferences.
3. HKEY_LOCAL_MACHINE (HKLM): HKLM contains machine hardware-specific information that the operating
system runs on. It includes a list of drives mounted on the system and generic configuration of installed hardware and
4. HKEY_USERS (HKU) : HKU contains configuration of all user profiles on the system, which concerns application
configuration, and visual setting.
5. HKEY_CURRENT_CONFIG (HKCC): HKCC stores information about the systems current configuration. It’s a link
to HKLM\Config\profile.
The registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information
can be derived from it. Due to vast amount of information stored in Windows registry, the registry can be an excellent source
for potential evidential data.
MRU is the abbreviation for Most-Recently-Used. This Key maintains a list of recently opened or saved files. Files
like .txt, .pdf, .jpg, .doc, .ppt, .avi etc. Subkey “*” contains the full file path to the 10 most recently opened/saved files. Other
subkey in OpenSaveMRU contains more entries of files which are grouped accordingly to file extension.
This key correlates to the OpenSaveMRU key to provide extra information. Each binary registry value under this key
contains a recently used program executable filename, and the folder path of a file to which the program has been used to
open or save it.
This key also maintains list of files recently executed or opened through Windows Explorer. This key corresponds to %
USERPROFILE%\Recent (My Recent Documents). This key contains local or network files that are recently opened and
only the filename in binary is stored. It has similar grouping as the previous OpenSaveMRU key, files are organized
according to file extension under respective subkeys.
This key maintains a list of entries (e.g. full path or commands like cmd, regedit, etc) executed using the Start>Run
commands. The MRUlist value maintains a list of alphabets which refer to respective values. The alphabets are arranged
according to the order the entries is being added.
This key maintains Windows virtual memory (paging file) configuration. The paging file (i.e. pagefile.sys) may contain
evidential information that could be removed once the suspect computer is shutdown. This key contains a registry value
called ClearPagefileAtShutdown which specify whether Windows should clear off the paging file when computer shutdowns.
By default, Windows will not clear the paging file. However, suspect may modify this registry value to 1 to signify paging file
clearing during system shutdown. Forensic investigator should check this value before shutting down a suspect computer
during evidence collection process.
HKCU\Software\Microsoft\Search Assistant\ACMru
This key contains recent search terms using Windows default search. Subkey 5603 contains search terms for finding
folder and filenames, while subkey 5604 contains terms for finding words or phrases in a file.
This work is
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Attribution
Unported Lic
Each subkey in this key represents an installed program in the software in the computer. Each subkey usually contains
these two common registry values – DisplayName (program name) and UninstallString (application Uninstall component’s
files path, which indirectly refers to application installation path). Other possible useful registry values may exist, which
includes information on install date, install source and applications version.
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
This key contains a listing of 25 recent URLs (or file path) that is typed in the Internet Explorer (IE) or Windows Explorer
address bar. The key will only show links that are fully typed, automatically completed while typing, or links that are selected
from the list of stored URLs in IE address bar. Websites that are accessed via IE Favorites are not recorded. If suspect
clears the URL history using Clear History via Internet Options menu, this key will be completely removed.
This key makes it possible to view each drive associated with the system. It stores a database of mounted volumes that
is used by the NTFS file system. The binary data for each \Dos\Devices\x: value contains information for identifying each
volume. This is demonstrated in the figure below, where \DosDevice\F: is a mounted volume and listed as “STORAGE
Removable Media”.
Anytime a device is connected to the Universal Serial Bus (USB), drivers are queried and the device’s information is
stored in the registry (i.e. thumb drives, cameras etc.). Beneath each of these devices is the Device ID, which is also a serial
number. The serial numbers of these devices are a unique value assigned by the manufacturer, much like the MAAC
address of a network interface card.
But not every thumb drive will have a serial number, particularly those that have an “&” symbol for the second character
of the Device ID. For example: 6&1543608a&0.
This key contains two or more subkeys which have long hexadecimal names that appear as Globally Unique Identifiers
(GUIDs). Each subkey record values that pertain to specific objects the user accessed on the system, such as Control Panel
applets, shortcuts files, programs, etc. These values however, are encoded using ROT-13 encryption algorithm. This
encryption is easy to decipher using online ROT-13 decoder, such as
UserAssist Key
With the UserAssist key, a forensic examiner can gain a better understanding of what types of files or applications have
been accessed on a particular system. Even though these are not definitive, for they cannot be associated with a specific
date and time, it may still indicated a specific action by the user.
Given the popularity of the Windows Operating Systems, it is important for computer forensic experts to understand the
complexity of the Windows Registry. The information and potential evidence the exist in the Registry make t a significant
forensic resource; uncovering this data can be crucial to any computer related investigation. By understanding the
fundamentals of the registry from forensics point of view, an examiner can develop a more accurate account of what
occurred on the given machine. This document may not provide conclusive evidence in a registry analysis, but it does
present some examples and explanations of what type of data can be found, how they can be found, and why they may be
relevant to an examination.
Related Terms: Company Technology DAT HKEY Editor hives Microsoft Microsoft
Windows SOFTWARE Software techGyan Technology Windows XP