Acquiring Registry Hives

Acquiring Registry Hives Using FTK Imager

FTK Imager is a powerful tool for forensic acquisition, enabling investigators to extract critical files, including Windows Registry hives, from live systems. This lesson covered how to securely acquire these files for further analysis, even when they are system-protected.

Why Use FTK Imager for Registry Acquisition?

Bypasses System Restrictions: Windows protects registry hives, preventing direct copying from the file system. FTK Imager overcomes these restrictions.
Preserves Data Integrity: Ensures an exact bit-for-bit copy of files, verified through hashing.
Critical for Incident Response: Enables rapid acquisition of key forensic artifacts during live investigations.

Steps for Acquiring Registry Hives

1. Launch FTK Imager as Administrator

Administrative privileges are required to access protected system files.

2. Add Evidence Item

Navigate to File > Add Evidence Item.
Select Logical Drive to access live system files.

3. Locate Registry Hives

The following registry hives should be acquired for comprehensive forensic analysis:

Hive Path Purpose

Hive	Path	Purpose
SAM	`C:\Windows\System32\Config\SAM`	Local user accounts and password hashes.
SECURITY	`C:\Windows\System32\Config\SECURITY`	Security policies and access control.
SOFTWARE	`C:\Windows\System32\Config\SOFTWARE`	Installed software and configurations.
SYSTEM	`C:\Windows\System32\Config\SYSTEM`	System configurations and services.
NTUSER.DAT	`%USERPROFILE%\NTUSER.DAT`	User-specific preferences and settings.
UsrClass.dat	`%USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat`	Application-specific user settings.

SAM

C:\Windows\System32\Config\SAM

Local user accounts and password hashes.

SECURITY

C:\Windows\System32\Config\SECURITY

Security policies and access control.

SOFTWARE

C:\Windows\System32\Config\SOFTWARE

Installed software and configurations.

SYSTEM

C:\Windows\System32\Config\SYSTEM

System configurations and services.

NTUSER.DAT

%USERPROFILE%\NTUSER.DAT

User-specific preferences and settings.

UsrClass.dat

%USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

Application-specific user settings.

Include Transaction Logs:

Files with extensions .LOG, .LOG1, and .LOG2 for each hive contain uncommitted changes.

4. Create a Custom Content Image

Select the Relevant Files: Add the hives and their logs to the custom image.
Generate Image:
- Define a destination folder.
- Provide a descriptive image name.
- FTK Imager calculates and displays hash values (MD5, SHA1) to verify the integrity of the image.

5. Mount the Custom Image

Go to File > Image Mounting and select the created .ad1 image.
Explore the Image: The mounted image appears as a virtual drive, allowing easy access to the acquired files in a familiar folder structure.

Key Advantages

Integrity Verification: Ensures the acquired data hasn’t been tampered with, essential for legal admissibility.
Non-Intrusive Process: Live acquisition doesn’t alter the original system data.

Next Steps

After acquisition, the following steps will be covered:

Analyzing Registry Hives using tools like Regedit and forensic-specific software like Registry Explorer and RegRipper.
Identifying Key Artifacts such as user activity, malware persistence, and system configurations.

This method allows analysts to collect crucial forensic data efficiently and securely, forming the foundation for detailed analysis.

PreviousIntroduction to Windows Registry Forensics NextRegedit and Registry Explorer

Last updated 18 days ago