Skip to content

CH5: Windows Registry Forensics

Chapter Overview

In Chapter 4, we focused on the physical layer of digital forensics: hard drives, partitions, and file systems. We learned how data is magnetically or electrically stored and how the Master File Table (MFT) acts as a map to locate that data. However, finding a file is only half the battle. To solve a crime, an investigator usually needs to answer questions that the file system cannot: Who opened the file? When did they plug in the USB drive? Where was the laptop when it connected to the internet?

To answer these questions, we must move up the stack into the Operating System itself. In the Microsoft Windows environment, the answers to these questions are found in the Windows Registry.

Often described as the "nervous system" of Windows, the Registry is a massive, hierarchical database that stores configuration settings for the hardware, the operating system, and the user's applications. It is dynamic, constantly changing, and meticulously records the user's interactions with the computer. For the digital investigator, the Registry is often the primary source of evidence for attribution—linking a specific action to a specific user account.

This chapter explores the architecture of the Registry, identifies the physical files you must acquire during an investigation, and teaches you how to parse specific artifacts to reconstruct user activity, network history, and device usage.

Learning Objectives

By the end of this chapter, students will be able to:

  • Define the logical structure of the Windows Registry, including Hives, Keys, Values, and Data Types.
  • Identify the five standard Root Keys (HKLM, HKCU, HKU, HKCR, HKCC) and their purposes.
  • Locate and differentiate between System Hives and User Hives on a forensic image.
  • Explain the function of Transaction Logs and demonstrate how to clean a "Dirty Hive".
  • Identify critical system configuration artifacts, including Timezone settings and Computer Name.
  • Conduct a forensic analysis of USB device history and Network connection history.
  • Reconstruct user activity using the "Registry Trilogy" (UserAssist, RecentDocs, RunMRU), BAM/DAM, and WordWheelQuery.
  • Detect basic malware persistence mechanisms in Autostart keys.
  • Utilize reference tables to quickly locate evidentiary artifacts across all major hives.

5.1 Registry Architecture and Fundamentals

To the casual user, the Registry is a scary place they are told never to touch. To the forensic examiner, it is a structured dataset waiting to be queried. To navigate it effectively, you must understand both its logical structure (how it looks in a viewer) and its physical structure (how it sits on the disk).

The Logical Structure

When viewing the Registry through a tool like the built-in Windows regedit.exe or a forensic tool like Registry Viewer, it appears as a tree-like structure similar to a file system. However, the terminology is different.

  • Hives: The root folders or major sections of the Registry. These represent the highest level of organization.
  • Keys: These act like sub-folders. They can contain other keys (sub-keys) or values.
  • Values: These are the actual data items, functioning somewhat like files. A Value consists of a name, a data type, and the data itself.

The Root Keys

When you first open a registry editor, you are presented with five "Root Keys." These are the entry points into the database. In forensics, we often refer to them by their standard abbreviations (e.g., HKLM). It is critical to understand that some of these are Master Keys (stored on disk) and some are Derived Keys (links created in memory at boot).

  1. HKEY_LOCAL_MACHINE (HKLM):

    • Description: Contains configuration data for the physical computer (Hardware, Drivers, OS Settings), regardless of which user is logged in.
    • Forensic Value: This is where we find the SYSTEM and SOFTWARE hives. It is the primary source for device history and system timezone.

  2. HKEY_USERS (HKU):

    • Description: Contains the loaded profiles for all currently active users (and the generic system profiles).
    • Forensic Value: If a machine is live, this allows you to see the registry settings for every logged-in user simultaneously.

  3. HKEY_CURRENT_USER (HKCU):

    • Description: A pointer (link) to the profile of the user currently interacting with the system. It maps directly to a specific SID subkey inside HKEY_USERS.
    • Forensic Value: In a live investigation, this is the quickest way to see what the suspect is doing right now. In a dead-box investigation, this key does not exist; we examine the NTUSER.DAT file instead.

  4. HKEY_CLASSES_ROOT (HKCR):

    • Description: Stores information about file associations and Object Linking and Embedding (OLE). It tells Windows that .docx files should be opened by Microsoft Word.
    • Forensic Value: Can be used to identify malware that has "hijacked" a file extension to execute malicious code.

  5. HKEY_CURRENT_CONFIG (HKCC):

    • Description: Contains information about the hardware profile currently being used by the local computer system.
    • Forensic Value: Rarely used in standard investigations but can be relevant in complex hardware analysis.

Data Types

Windows stores data in the Registry in specific formats. Understanding these is crucial because forensic tools will often present the raw data, and you must know how to interpret it.

  • REG_SZ (String): A fixed-length text string. This is human-readable text, such as a file path or a URL.
  • REG_BINARY: Raw binary data. This is often displayed in Hexadecimal. Hardware settings and proprietary application data are often stored here. You may need to export this data and decode it to make sense of it.
  • REG_DWORD (Double Word): A 32-bit number. This is frequently used for boolean (True/False) switches (0 for Off, 1 for On) or counters (e.g., how many times a program was run).
  • REG_MULTI_SZ: A list of strings. For example, a list of IP addresses or hardware identifiers.

The "Last Write Time"

One of the most powerful features of the Registry for forensics is that Registry Keys have timestamps, similar to how folders have "Date Modified" timestamps. This is called the Last Write Time.

Whenever a Value inside a Key is modified, the parent Key's Last Write Time is updated.

  • Forensic Implication: If a suspect runs a wiping tool, the registry key associated with that tool will update its timestamp. Even if the tool itself is deleted, the Registry timestamp proves when the configuration was last changed, helping you build a timeline of the cover-up.

5.2 Hives on Disk: The Physical Files

A common misconception among IT beginners is that the Registry is a single large file. In reality, the Registry is composed of several distinct files called Hives. When Windows boots, it locates these files on the hard drive and stitches them together to form the logical tree structure seen in regedit.

In a "Dead Box" investigation (where the computer is powered off), you cannot open the Registry Editor. Instead, you must locate, extract, and parse these specific hive files from the forensic image.

System Hives

System Hives contain configuration data that applies to the entire computer, regardless of which user is logged in. These map to HKLM.

Location: %SystemRoot%\System32\config\ (Typically C:\Windows\System32\config\)

There are five core System Hives you must know:

  1. SAM (Security Accounts Manager): Contains local user account information and password hashes.
  2. SYSTEM: The most critical hive for hardware analysis. It contains USB history, time zone settings, and the computer name.
  3. SOFTWARE: Contains configuration settings for the operating system and installed applications.
  4. SECURITY: Contains local security policies.
  5. DEFAULT: The template hive used when a new user account is created.

User Hives

User Hives contain settings specific to a single user account. Every user on the system has their own set of files. These map to HKU.

Primary Location: C:\Users\<username>\NTUSER.DAT (Hidden file). Secondary Location: C:\Users\<username>\AppData\Local\Microsoft\Windows\UsrClass.dat (Contains Shellbags).

Investigator Tip: If you are investigating a shared computer, you must export the NTUSER.DAT file for every user profile. Evidence of a crime might exist in "User A's" hive but not in "User B's."

Transaction Logs and "Dirty Hives"

To understand why investigators often find evidence missing from Registry hives, we must first understand how the Registry saves data. The Registry functions as a database. Like any modern database, it prioritizes speed and stability.

Understanding Transaction Logs When a change is made to the Registry (e.g., a user plugs in a USB drive), Windows does not immediately write that data to the main hive file (like SYSTEM or NTUSER.DAT). Writing directly to the main file every millisecond would be slow and could corrupt the file if the computer crashed during the write process.

Instead, Windows uses Transaction Logs.

  1. The Scratchpad: Windows writes the new data to a temporary log file (ending in .LOG1 or .LOG2) first. This is fast and acts like a "scratchpad."
  2. The Flush: Later, when the system is idle or shutting down, Windows moves the data from the .LOG file into the main .DAT hive file.

The "Dirty Hive" Problem In digital forensics, we rarely encounter computers that were shut down gracefully. Often, the suspect pulls the power cord to hide activity, or law enforcement performs a hard shutdown to preserve RAM.

When power is cut instantly, Step 2 (The Flush) never happens. This results in a Dirty Hive. The main hive file on the disk is "out of sync" with the transaction logs. The main file contains old data, while the evidence of the most recent activity (the "smoking gun") exists only inside the .LOG files.

How to Clean a Dirty Hive If you open a dirty hive in a basic viewer, you will miss the recent evidence. To see the complete picture, you must "replay" the logs, merging the data from the .LOG files into the main hive.

  1. Tooling: We use Registry Explorer (by Eric Zimmerman).
  2. Detection: When you load a hive into Registry Explorer, it automatically looks for .LOG files in the same directory.
  3. Prompt: It will alert you: "Dirty hive detected. Do you want to replay transaction logs?"
  4. Action: You must select Yes. The tool will parse the logs, apply the pending changes to the hive in memory, and present you with a "Clean" hive containing the most up-to-date data.

5.3 System Configuration: Establishing the Baseline

Before hunting for specific evidence, the investigator must establish the "baseline" of the system.

Understanding ControlSets (CurrentControlSet vs. ControlSet00x)

When viewing the Registry on a live computer, nearly every tutorial will tell you to navigate to HKLM\SYSTEM\CurrentControlSet. This is where all the active hardware and service configurations live.

However, if you open a forensic image of a SYSTEM hive, you will notice something confusing: CurrentControlSet is missing. Instead, you will see keys named ControlSet001, ControlSet002, and so on.

The Concept: CurrentControlSet is simply a pointer (like a shortcut) that Windows creates while the Operating System is running. It points to whichever ControlSet00x was used to boot the computer. On the disk (and in your forensic image), only the numbered sets exist.

The Select Key: To know which ControlSet to analyze, you must check the Select key.

Hive: SYSTEM Key Path: Select

This key contains values that tell you which set is which:

  • Current: The ID of the ControlSet used during the most recent boot. (e.g., if the value is 1, map it to ControlSet001).
  • Failed: The ID of a ControlSet that failed to boot (useful for troubleshooting crashes).
  • LastKnownGood: The ID of the stable configuration saved during the last successful boot.

Forensic Rule: Always check SYSTEM\Select first. If Current = 1, you must perform all your analysis (USB, Timezone, Services) inside ControlSet001.

Timezone Information

Hive: SYSTEM Key Path: ControlSet001\Control\TimeZoneInformation

Digital forensics relies entirely on accurate timelines. However, file systems often store time in UTC, while the Registry stores some times in local time. To correlate events, you must know the system's offset.

  • ActiveTimeBias: The current offset from UTC in minutes. If you fail to check this key, your timeline could be off by several hours, potentially ruining an alibi verification.

Computer Name and Version

Hive: SYSTEM Key Path: ControlSet001\Control\ComputerName\ComputerName Hive: SOFTWARE Key Path: Microsoft\Windows NT\CurrentVersion

Verifying the ComputerName ensures you are examining the correct asset. The CurrentVersion key provides the "Install Date" and "Registered Owner," helping establish how long the OS has been active.

5.4 Hardware Forensics: USB and Devices

One of the most common scenarios in modern investigations is Data Exfiltration—stealing data via external drives. Windows tracks USB devices extensively.

Step 1: Identification (USBSTOR)

Hive: SYSTEM Key Path: ControlSet001\Enum\USBSTOR

When a USB device is plugged in, Windows creates a sub-key here. It reveals:

  • Vendor & Product: (e.g., SanDisk, Seagate).
  • Serial Number: A unique alphanumeric string.

The Serial Number is the critical link. If you find a physical USB drive, you can compare its serial number to the USBSTOR key to prove that specific drive was connected to the computer.

Step 2: Mapping to Drive Letters (MountedDevices)

Hive: SYSTEM Key Path: MountedDevices

Knowing a USB drive was connected is useful, but we need to know the drive letter (e.g., F:) to link it to user activity. This key maps the unique device identifier to the assigned drive letter.

Step 3: The Timeline

Determining when the device was used completes the puzzle.

  • First Install: Cross-reference with setupapi.dev.log (a text log in C:\Windows\inf).
  • Last Arrival: The "Last Write Time" of the specific USB registry key often indicates the last connection.

5.5 User Activity: The "Registry Trilogy" and Execution History

While the SYSTEM hive tracks hardware, the NTUSER.DAT hives track human behavior.

UserAssist (Program Execution)

Hive: NTUSER.DAT Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

This key tracks executed applications to populate the Start Menu.

  • ROT13: Program names are obfuscated using ROT13 (e.g., cmd.exe -> pzq.rkr).
  • Data: Provides the Program Name, Run Counter, and Last Execution Time.

RecentDocs (File Knowledge)

Hive: NTUSER.DAT Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

This key tracks the last files opened via Windows Explorer, organized by extension. * Significance: It proves "File Knowledge." If illegal files appear here, the user navigated to and opened them; they didn't just sit on the drive unnoticed.

RunMRU (Intent)

Hive: NTUSER.DAT Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This key tracks commands typed into the Windows "Run" box (Win+R).

  • Forensic Value: Commands like cmd, powershell, or regedit indicate a "Power User" with specific intent, rather than accidental clicking.

BAM/DAM (Execution Evidence)

Hive: SYSTEM Key Path: ControlSet001\Services\bam\State\UserSettings\<SID>

Introduced in Windows 10 (version 1709), the Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) are services designed to manage background program activity to save battery power.

For forensics, this is a goldmine. While UserAssist requires a user to interact with the GUI (clicking icons), BAM tracks executables even if they run in the background. It provides:

  • Full Path: The exact location of the executable (e.g., C:\Temp\Malware.exe).
  • Last Execution Time: A highly accurate timestamp of when the program was last run.

If a suspect wipes their UserAssist keys to hide their tracks, they often forget (or don't know about) BAM/DAM in the SYSTEM hive.

WordWheelQuery (Search Terms)

Hive: NTUSER.DAT Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Have you ever typed a search term into the search box in the top-right corner of File Explorer? Windows remembers these terms to offer auto-complete suggestions in the future.

  • Forensic Value: This key contains the keywords the user typed. Finding searches for terms like "delete evidence," "how to hide files," or specific names related to the case provides powerful evidence of intent and state of mind.

5.6 Network History and Geolocation

The Registry keeps a history of networks the computer has connected to. For laptops, this is essentially a physical location tracker.

Network List Profiles (The "Where")

Hive: SOFTWARE Key Path: Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Every time a Windows computer connects to a new network (WiFi or Ethernet), it creates a profile (GUID).

  • ProfileName: The name of the network (e.g., "Starbucks_WiFi", "Airport_Guest", "Corporate_Secure").
  • DateCreated / DateLastConnected: When the user first visited that location and when they were last there.

Forensic Application: If a suspect claims, "I was at home all night," but you find a Network Profile for "Motel_6_Guest" with a DateLastConnected timestamp during the time of the crime, you have disproved their alibi.

Interfaces (The "How")

Hive: SYSTEM Key Path: ControlSet001\Services\Tcpip\Parameters\Interfaces

This key stores the configuration for network adapters, including:

  • IPAddress: Static IPs if assigned.
  • DhcpIPAddress: The IP assigned by the router.
  • DhcpServer: The IP of the router (Gateway).

5.7 Persistence and Malware Hunting

When a malicious actor (or malware) infects a system, their primary goal is Persistence. They want their malicious code to run automatically every time the computer reboots. The Registry is the most common place to hide these "Autostart" mechanisms.

The "Run" Keys

Hive: SOFTWARE (System-wide) and NTUSER.DAT (User-specific) Key Path: Software\Microsoft\Windows\CurrentVersion\Run Key Path: Software\Microsoft\Windows\CurrentVersion\RunOnce

Any program listed in these keys will launch automatically when Windows starts (for SOFTWARE) or when that specific user logs in (for NTUSER.DAT).

  • Investigation: Look for suspicious executable names, programs running from temporary folders (e.g., AppData\Local\Temp), or random filenames (e.g., a8f93.exe).

Services

Hive: SYSTEM Key Path: ControlSet001\Services

Malware often installs itself as a Service (like a print spooler or update helper) to run in the background with high privileges (SYSTEM level).

  • Analysis: This key lists every service on the machine. Investigators look for services with descriptions that don't match the executable, or services pointing to suspicious paths.

5.8 Scenario: The Insider Threat

The Case: "TechCorp" suspects departing employee John Doe stole source code. He wiped his laptop, but a backup exists.

The Analysis:

  1. Baseline: Timezone is UTC-8.
  2. USB: USBSTOR shows a "Seagate Expansion" (Serial NA789234) connected at 4:45 PM on his last day.
  3. Mapping: MountedDevices maps this serial to drive D:.
  4. Activity: NTUSER.DAT reveals:
    • UserAssist: xcopy.exe ran at 4:50 PM.
    • RunMRU: Command D:\SourceCode_Backup was typed.
    • RecentDocs: .cpp files opened from D:.

Conclusion: Registry artifacts prove John connected a specific drive, navigated to a backup folder, and copied files, proving the theft.

5.9 Registry Reference Cheat Sheet

This section serves as a quick reference guide for your investigations. Use these tables to quickly locate evidence.

SYSTEM Hive

Location: C:\Windows\System32\config\SYSTEM Content: Hardware, Timezone, USB, Network.

Artifact Name Key Path (Start with CurrentControlSet) Description / Forensic Value
Select Select Determines which ControlSet (001, 002) is active.
BAM/DAM Services\bam\State\UserSettings Background Activity Moderator. Tracks program execution paths and times.
Timezone Control\TimeZoneInformation Determining the system's time offset from UTC. Essential for timelines.
Computer Name Control\ComputerName\ComputerName Verifying the identity of the machine.
USB History Enum\USBSTOR List of USB devices (Vendor, Model, Serial Number) ever connected.
Drive Letters MountedDevices (Root of hive) Maps Volume GUIDs/Serials to Drive Letters (e.g., E:, F:).
Shimcache Control\Session Manager\AppCompatCache Evidence of file execution (even if deleted).
Network Interfaces Services\Tcpip\Parameters\Interfaces IP addresses, Subnet masks, and DHCP server info.
Services Services List of all system services. Critical for malware persistence hunting.
Last Shutdown Control\Windows "ShutdownTime" value indicates the last graceful shutdown.

SOFTWARE Hive

Location: C:\Windows\System32\config\SOFTWARE Content: OS Version, Installed Software, Global Autostarts.

Artifact Name Key Path Description / Forensic Value
OS Version Microsoft\Windows NT\CurrentVersion Install Date, Registered Owner, Version Release.
Network Profiles Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles History of connected networks (WiFi names). Proves geolocation/travel.
Run Key (Global) Microsoft\Windows\CurrentVersion\Run Programs that start automatically for any user.
Winlogon Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" and "Shell" values are often hijacked by malware.
Uninstall Microsoft\Windows\CurrentVersion\Uninstall List of installed applications and dates.

SAM Hive

Location: C:\Windows\System32\config\SAM Content: User Accounts and Groups.

Artifact Name Key Path Description / Forensic Value
Users SAM\Domains\Account\Users List of local user accounts (RID, Last Login, Last Password Change).
Groups SAM\Domains\Account\Aliases Local group membership (e.g., Who is in the "Administrators" group?).

NTUSER.DAT Hive

Location: C:\Users\<User>\NTUSER.DAT Content: User Activity (The "Pattern of Life").

Artifact Name Key Path (Software\Microsoft\Windows\CurrentVersion...) Description / Forensic Value
UserAssist ...\Explorer\UserAssist ROT13 encoded list of GUI programs executed and run counts.
WordWheelQuery ...\Explorer\WordWheelQuery Keywords searched in File Explorer search bar.
RecentDocs ...\Explorer\RecentDocs Recent files opened via Explorer (by extension).
RunMRU ...\Explorer\RunMRU Commands typed into the "Run" box (Win+R).
TypedPaths ...\Explorer\TypedPaths Paths typed directly into the Explorer address bar.
Run Key (User) ...\Run Programs that start automatically only for this user.
MountPoints2 ...\Explorer\MountPoints2 History of mapped drives and remote shares accessed.
IE Typed URLs Software\Microsoft\Internet Explorer\TypedURLs Websites typed manually into IE (Legacy but still relevant).

5.10 Forensic Tools: Acquisition and Analysis

In the field of digital forensics, tools are generally divided into two categories: Commercial (expensive, comprehensive support) and Open Source/Free (community-driven, highly specialized). For this course, and often in professional incident response, we rely heavily on free tools developed by the forensic community.

Acquisition Tools

You cannot simply copy/paste Registry files because they are locked by Windows while running. You need tools that can bypass these locks or parse the raw disk.

  • FTK Imager (AccessData/Exterro):

    The standard entry-level tool. It allows you to mount a forensic image (or view a live drive), navigate the file system, and right-click to "Export" specific files like SYSTEM and NTUSER.DAT. It handles the file locking mechanism automatically.

  • KAPE (Kroll Artifact Parser and Extractor): Developed by Eric Zimmerman, KAPE is a command-line tool (with a GUI wrapper) designed to collect artifacts at lightning speed. Instead of imaging the whole drive, KAPE can be scripted to "Go get all Registry Hives" and copy them to a destination folder in seconds.

Analysis Tools

Once you have extracted the hive files to your analysis machine, you need a viewer to interpret them.

  • Registry Explorer (Eric Zimmerman): This is currently the industry standard for deep-dive Registry analysis.

    • Pros: It is free, handles "Dirty Hives" by replaying logs, has a bookmarking system for common evidence (like USBSTOR or UserAssist), and decodes ROT13 and binary data automatically.
    • Usage: You simply drag and drop your hives into the window.

  • RegRipper (Harlan Carvey): RegRipper is widely used for automation. It is not a viewer; it is a parser.

    • How it works: You point it at a hive file, and it runs a series of "plugins" against it. It outputs a text or report file summarizing what it found.
    • Use Case: Excellent for quickly triaging a system to see "What USBs were plugged in?" without manually clicking through keys.

5.11 Chapter Summary

The Windows Registry is the backbone of forensic attribution. It provides the context that raw file analysis lacks.

  • Structure: Physically stored in Hives (SYSTEM, SOFTWARE, NTUSER.DAT) and logically organized into Keys and Values.
  • Root Keys: The five main entry points (HKLM, HKCU, HKU, HKCR, HKCC) provide logical access to the underlying hive files.
  • Dirty Hives: Windows writes changes to Transaction Logs (.LOG) before the main hive. You must use tools like Registry Explorer to replay these logs or risk missing recent evidence.
  • ControlSets: On disk, CurrentControlSet does not exist. Investigators must use the SYSTEM\Select key to identify the active ControlSet00x.
  • Hardware: USBSTOR and MountedDevices allow you to link physical devices to the system.
  • Network: NetworkList profiles can track the physical location of a laptop by the WiFi networks it connected to.
  • Persistence: Malware hides in Run keys and Services to survive reboots.
  • User Activity: The "Trilogy" (UserAssist, RecentDocs, RunMRU), combined with BAM/DAM and WordWheelQuery, builds the pattern of life.