Skip to content ↓ | Skip to navigation ↓

The Windows registry is a goldmine of forensics artifacts that can be leveraged during digital forensics investigations, incident response handling, and malware analysis. These artifacts reveal information such as the name and serial number of removable devices that were plugged into the computer, installed software, programs that previously executed, visited URLs, recently accessed documents, network share interactions, and much more.

Besides just storing such information directly, the registry also keeps very useful metadata including the last written time for each subset of the registry as well as for individual sets of data. This allows investigators to not only determine a wide range of activity on the system, but also when each event took place.

Due to the complexity of how the registry stores data and the fact that Microsoft does not document much of it, performing registry analysis can be a daunting task for newcomers to the forensics field. Entire investigations can be discarded if an investigator misinterprets such data and incorrect conclusions can easily be formulated.

To aid investigators in analyzing the registry, there exists a wide range of tools that can automate subsets of analysis and provide consistent results that can then be used within reports. Unfortunately, without an understanding of how such tools work and of the data the tools are parsing, investigators can never be sure if the results that are receiving are correct or complete.

This can also be an issue when an investigator is in court and asked to explain where specific data came from or what actions caused the data to appear on the investigated computer.

While registry analysis poses challenges for novices, it also allows for very deep and powerful investigations by those who know how to correctly leverage it. This deep analysis can be achieved by investigative techniques such as timelining, baselining, and backup analysis.

Timelining is the grouping of all actions on a computer, based on their timestamp, to determine related ones. These groups of actions can then lead to understanding higher level events and context. For example, by performing timelining of a malware infection, the analyst can often determine when the malware was placed on the system, when it first executed, any places within the registry used for persistence, of which they are many possibilities, and potential avenues of spreading.

Baselining is the process of comparing the state of the registry before and after an activity, such as malware infection, program installation, document access, or user login occurs. By isolating the activity caused by a specific action, the analyst can quickly can determine its effect on the system. This information can also be used to develop signatures that immediately recognize activity patterns on the system.

Backup analysis utilizes the complete hive copies that are kept by the operating system’s backup facilities, such as System Restore and the Volume Shadow Service. These backup facilities keep many historical copies of the system’s state and each copy has the entire registry backed up. By analyzing the backups, insight into the system can be gained going back weeks, months, or longer.

Backup analysis is also one of the best ways to defeat anti-forensics tools that destroy data within the currently active set of hives. If a backup can be found before the anti-forensics tool was used, it is possible to recover all interesting information without having to resort to searching unallocated space.

About the Author: Andrew Case (@attrc) is one of the Hacker Academy’s lead instructors and has a heavy involvement in the Volatility Framework. Andrew is one of four digital forensics experts who have developed the Hacker Academy Registry Forensics Master Class. This class focuses solely on registry forensics and teaches everything previously mentioned in this article as well as many other topics. The class starts by taking students through the basics of registry forensics such as how the hives are organized, where they are stored on disk, and how to acquire them in a forensically sound manner.  All of the artifacts in each registry hive are then presented and the on-disk formats are explained. A number of common registry forensics tools are then presented, and students learn how to script them to automate their analysis tasks. Investigative topics, such as timelining, baselining, backup analysis, and malware analysis are then covered. Every lesson includes a hands-on exercise that gives students real-world experience with the information learned, and the class ends with a large-scale final investigation that requires incorporating many of the lessons learned into one investigation. By the end of the course, students are able to deeply analyze the registry and clearly understand the artifacts contained within it. These skills will lead to much more efficient and effective investigations, and teach students some of the most sought after skills in the field.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.


Related Articles:


picTripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.


Title image courtesy of ShutterStock