If you've found the content of this site useful and would like to show your support by making a donation to help keep it up and running any contribution at all is more than welcome.  Thank You.

 

<Main>
 

Purpose:

    This web page is designed to introduce the Microsoft Windows Registry database and explain how critically important a Registry examination is to computer  forensic experts.  In essence, this page will discuss various types of Registry “footprints” and delve into examples of what crucial information can be obtained by performing an efficient and effective forensic analysis of the Windows Registry.  Many of the Registry keys that are imperative and relevant to an examination will also be discussed.
 

Importance of a Registry Examination:

Today’s society relies heavily on computers and the internet to accomplish everyday tasks, which includes practically everything from communicating and shopping online to banking and investing.  It is much more common to send or receive an email than a physical letter.  Along with the increasing use of computers and the internet, comes a little problem called computer crime –  facetiously speaking.  Computer crimes present exorbitant issues in today’s society.  Including, but certainly not limited to – fraud, identity theft, phishing, network infiltration, DoS attacks, piracy of copyrighted material, and child pornography.  With computer crimes on the rise, it is becoming extremely crucial for law enforcement officers and digital forensic examiners to understand computer systems and be able to examine them efficiently and effectively.  In order to do this a study of how operating systems work must be explored from the inside out.  The Registry is the heart and soul of the Microsoft Windows XP operating system and an exponential amount of information can be derived from it.
 

Acknowledgements:

The information contained on this site is primarily a product of my research, but may also serve as a reference to a Windows registry examination.  For the sake of simplicity, there will only be reference to the Windows XP operating system – Even though earlier versions of Windows utilize the Registry, contain similar characteristics, and even apply many of the same concepts. The reasons XP was chosen to be discussed over other versions of Windows is because it remains popular and very widely used among average computer users, thus the chance of encountering it in a forensic examination is higher.  Windows XP is still very current and much of the same information can still be applied to previous versions of Windows. 
   
    The illustrations are intended to provide a better understanding of the subject being discussed.  All of the screenshot images contained on this website were captured from the Windows XP system in which the research was conducted on. 
   
    The P2P client programs that were downloaded, installed, used, and examined were for the purpose of research use only.  Searches were conducted and files were downloaded from these networks, not to engage in illegal or malicious activity, but to help provide a better understanding of the software’s architecture and how it utilizes the Windows Registry from a forensics standpoint.
 

Navigation:

About - A very brief history of the Microsoft Windows Registry, Why it exists, and the types of information is stored.

Structure - Explains how the Registry is structured with a breakdown of the five Registry hives and the information each hive contains.

Examination - Demonstrates many of the Registry keys that are relevant in a computer forensic examination, with examples and images of each.

Downloads - Links to software used and PDFs referenced to.

Resources - A compilation of resources used during this research.

 

 

| Contact | ©2007 Derrick Farmer