Today we discussed the Windows registry: It's organization, the persistent components on disk and the volatile components in memory, it's structure, and its forensic value

I strongly recommend the following resources:

• Inside the Registry (Mark Russinovich)
• The Windows NT Registry File Format Version 0.4 (Timothy Morgan)

A Few Forensic Applications

Below are a few example items I have commonly found useful within the Registry. There are certainly plenty more:

• Computer name
• Timezone
• MAC address(es)
• Wireless SSIDs
• Mounted shares
• Audit policies
• Auto start applications (per user)
• Services (system)
• Mounted USB devices
• Timestamps (entries, sorted by time, can function as a sort of log)

Warning to all Readers

These are unrefined notes. They are not published documents. They are not citable. They should not be relied upon for forensics practice. They do not define any legal process or strategy, standard of care, evidentiary standard, or process for conducting investigations or analysis. Instead, they are designed for, and serve, a single purpose, to help students to jog their memory of classroom discussions and assist them in thinking critically about the issues presented. The author is certainly not an attorney and is absolutely not giving any legal advice.