HKEY_LOCAL_MACHINE -HKML
• location in a running Windows 7 OS computer
HKEY_LOCAL_MACHINE -HKML
•Examining a Non-Live Registry – Forensic Image of a Windows 7 computer
And what about user data?
•Each user of the system has their own user file
– NTUSER.DAT
•Different path for WINDOWS XP and 7 OS
•Hidden system files
NTUSER.DAT location in Windows XP
NTUSER.DAT location in Windows 7
Registry Files Examination
•Free Tools
–AccessData Registry Viewer
–MiTEC Windows Registry Recovery
–Registry Browser
–RegReport (automatically creates reports of information)
•https://ad-pdf.s3.amazonaws.com/Registry_Quick_Find_Chart_9- 27-10.pdf
•Find Registry Offsets (e.x. AccessData FTK Imager)
•https://ad-pdf.s3.amazonaws.com/Registry%20Offsets%209-8- 08.pdf
From Forensics point of view
Examples
•Registered Owner details
•UserAssist
•HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows NT\CurrentVersion
•HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist
Free tool: http://www.nirsoft.net/utils/userassist_view.html