Regedit and Registry Explorer

Registry Analysis Tools Overview

Analyzing the Windows Registry is a fundamental part of forensic investigations. This lesson covers two key tools: Regedit for live system analysis and Registry Explorer for comprehensive live and offline hive analysis.

1. Regedit (Registry Editor)

Purpose:

Regedit is a built-in tool for viewing and editing the Windows Registry. It provides direct access to live registry keys and values, enabling users to explore system and application configurations in real time.

How to Access:

  • Search: Type Regedit in the taskbar search and open the application.

Key Features:

  • Hierarchical Navigation: Allows users to navigate through the registry tree structure, exploring keys and subkeys.

  • View Key Values: Displays associated data values in a simple interface.

  • Efficient Search: Quickly locate specific keys or values using predefined paths.

Example:

  • Exploring User Settings: Navigate to HKEY_CURRENT_USER to view user-specific configurations.

    • Subkeys like Software store application settings.

    • Key values reveal system preferences such as default printers or desktop backgrounds.

2. Registry Explorer by Eric Zimmerman

Purpose:

Registry Explorer enhances forensic analysis by supporting both live and offline hive analysis. It provides advanced features for parsing and examining registry data in depth.

Advantages Over Regedit:

  • Offline Hive Analysis: Analyze registry hives from external sources or disk images.

  • Transaction Log Parsing: Includes historical data by replaying changes logged in transaction files.

  • User-Friendly Interface: Categorized views make navigating and analyzing data more efficient.

Analyzing Live Hives

Steps:

  1. Open Live System Hives:

    • From the File menu, select Open Hive.

    • Choose live hives like SAM, SYSTEM, or NTUSER.DAT.

  2. View Deleted or Modified Records:

    • Enable Associated Deleted Records to see previously deleted or modified entries.

Example:

  • SAM Hive Analysis:

    • Explore user accounts and associated security identifiers (SIDs).

    • Detect changes in user permissions or deleted accounts.

Analyzing Offline Hives

Steps:

  1. Unload Live Hives: From the File menu, select Unload Hive to close any live hives.

  2. Load Offline Hives:

    • Use Load Hive to open registry files from a mounted FTK image.

    • Select accompanying transaction logs when prompted to replay changes.

Example:

  • SECURITY Hive Analysis:

    • View and analyze access control policies.

    • Replay transaction logs to uncover changes in security settings over time.

Why This Matters

  • Regedit: Ideal for live system analysis, enabling quick insights into current configurations and system status.

  • Registry Explorer: Essential for forensic investigations, offering the ability to recover deleted data, view historical changes, and analyze offline hives.

These tools complement each other, providing a comprehensive approach to registry analysis in live environments and forensic investigations.

PreviousAcquiring Registry HivesNextSystem, Users and Network Information

Last updated