This web page is designed to introduce the Microsoft Windows Registry
database and explain how critically important a Registry examination is to
computer forensic experts. In essence, this page will discuss various
types of Registry “footprints” and delve into examples of what crucial
information can be obtained by performing an efficient and effective
forensic analysis of the Windows Registry. Many of the Registry keys that are imperative and
relevant to an examination will also be discussed.
Importance of a Registry Examination:
society relies heavily on computers and the internet to accomplish everyday
tasks, which includes practically everything from communicating and shopping
online to banking and investing. It is much more common to send or receive
an email than a physical letter. Along with the increasing use of computers
and the internet, comes a little problem called computer crime –
facetiously speaking. Computer crimes present
exorbitant issues in today’s society. Including, but certainly not
limited to – fraud, identity theft, phishing, network infiltration, DoS
attacks, piracy of copyrighted material, and child pornography. With
computer crimes on the rise, it is becoming extremely crucial for law
enforcement officers and digital forensic examiners to understand computer
systems and be able to examine them efficiently and effectively. In order
to do this a study of how operating systems work must be explored from the
inside out. The Registry is the heart and soul of the Microsoft Windows XP
operating system and an exponential amount of information can be derived
The information contained on
this site is primarily a product of my research, but may also serve as a
reference to a Windows registry examination. For the sake of simplicity,
there will only be reference to the Windows XP operating system – Even
though earlier versions of Windows utilize the Registry, contain similar
characteristics, and even apply many of the same concepts. The reasons XP
was chosen to be discussed over other versions of Windows is because it
remains popular and very widely used among average computer users, thus the
chance of encountering it in a forensic examination is higher. Windows XP
is still very current and much of the same information can still be applied
to previous versions of Windows.
The illustrations are intended to provide a better understanding of the subject being discussed. All of the screenshot images contained on this website were captured from the Windows XP system in which the research was conducted on.
The P2P client programs that were downloaded, installed, used, and examined were for the purpose of research use only. Searches were conducted and files were downloaded from these networks, not to engage in illegal or malicious activity, but to help provide a better understanding of the software’s architecture and how it utilizes the Windows Registry from a forensics standpoint.
About - A very brief history of
the Microsoft Windows Registry, Why it exists, and the types of information
Structure - Explains how the Registry is structured with a breakdown of the five Registry hives and the information each hive contains.
Examination - Demonstrates many of the Registry keys that are relevant in a computer forensic examination, with examples and images of each.
Downloads - Links to software used and PDFs referenced to.
Resources - A compilation of resources used during this research.