Chapter 6: The Registry

The Microsoft Windows registry is the core repository for both operating system and application-specific settings. Information pertaining to the configuration and customization of Windows is stored in a series of hierarchical structures, accessible through a common interface. For the computer investigator , the registry provides a rich source of information on computer settings and activities ranging from identifying installed software to finding website passwords.

History

Legacy DOS operating systems stored their small amounts of configuration and customization information in two files: config.sys and autoexec.bat. Both of these files still exist, even in Windows 2003, for backwards compatibility. Early versions of Microsoft Windows built upon this configuration structure by storing additional configuration information for the operating system and applications as text-based settings stored in INI files. Like the autoexec.bat and config.sys files, INI files still exist in all versions of Windows.

To consolidate the information stored in these locations as well as provide structure to it (there were no hierarchical relationships between settings in the INI files), Microsoft introduced the registry in Windows 3.1 and expanded it to be the primary source of Windows settings in Windows 95. The registry provided structure as well as consolidation for the various operating system and application settings. A pre-defined hierarchy of keys was introduced, and applications could create their own subhierarchies as needed.

Since Windows 95, the registry has evolved considerably. The latest versions of the registry in Windows XP and 2003 are complex structures, and finding specific pieces of information in them relevant to an investigation can be challenging. Because of Microsoft's reliance on the registry for both information storage and retrieval, understanding the registry structure is essential to conducting a complete forensic analysis.



Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net