registry - DEPARTMENT OF COMPUTER & INFORMATION...

Info iconThis preview shows pages 1–15. Sign up to view the full content.

View Full Document Right Arrow Icon
Registry Slide 1 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Registry Windows NT, 2000 & XP
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 2 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Learning Objectives The student will be able to: Identify the name and location of the registry files and backups Understand how the registry is structured Recognize some possible search terms Locate, extract and document information that may be of forensic interest in the registry
Background image of page 2
Registry Slide 3 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Windows NTx REGISTRY A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 4 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Windows NTx REGISTRY There are five root keys HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_USERS HKEY_CURRENT_CONFIG (HKCR) (HKCU) (HKLM) (HKU) (HKCC)
Background image of page 4
Registry Slide 5 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Registry Architecture Two are “Master” keys HKEY_LOCAL_MACHINE Configuration data describing hardware and software installed on the computer HKEY_USERS Configuration data for each user that logs into the computer
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 6 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Registry Architecture Three are derived from “Master” keys HKEY_CLASSES_ROOT File Associations and OLE HKEY_CURRENT_USER Currently logged on user HKEY_CURRENT_CONFIG Current hardware profile
Background image of page 6
Registry Slide 7 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY HKEY_CLASSES_ROOT From HKLM\Software\Classes
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 8 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY HKEY_CURRENT_USER From HKU\SID of current user
Background image of page 8
Registry Slide 9 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY HKEY_CURRENT_CONFIG HKLM\System\CurrentControlSet\Hardware Profiles\Current
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 10 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Windows NTx REGISTRY Multiple “hives” are used to build the registry “System” related (HKLM) “User” related (HKU) A hive is a body of keys, subkeys and values rooted at the top of the registry hierarchy
Background image of page 10
Registry Slide 11 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Windows NTx REGISTRY A hive is stored in a set of files Ex: Security Account Manager SAM – current copy of the hive SAM.LOG – log of all changes to the hive SAM.sav – backup copy created at setup System has an additional file System.alt - duplicate copy of System System.alt is not normally present in XP
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 12 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Registry “System” Hives Configuration data specific to the computer DEFAULT SAM SECURITY Software System Stored in %systemroot%\ system32\config
Background image of page 12
Registry Slide 13 DEPARTMENT OF COMPUTER & INFORMATION TECHNOLOGY Registry “User” Hives Configuration data specific to the user NTUSER.DAT
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Registry Slide 14
Background image of page 14
Image of page 15
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/29/2012 for the course CNIT 499 taught by Professor Timwedge during the Fall '07 term at Purdue University-West Lafayette.

Page1 / 65

registry - DEPARTMENT OF COMPUTER & INFORMATION...

This preview shows document pages 1 - 15. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online