Analyzing the Windows Registry
The Windows Registry is one of the essential components of the current Microsoft Windows operating systems and thus also a very important point in a forensic investigation. It performs two critical tasks for the Windows operating system. First, it is the repository of settings for the Windows operating system and the applications that are installed on the system. Second, it is the database of the configuration of all installed hardware. Microsoft defines the registry as follows:
"A central hierarchical database used in Microsoft Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications and hardware devices." (Microsoft Computer Dictionary)
In the following sections, we will explain several elements of the Windows Registry that may be important to a forensics investigator and that help in understanding where to find the most valuable indicators. We will...
