In this course, we're talking about the Windows Registry. In this module, module 2, we're going to talk about the structure of the Windows Registry. The layout of the Registry. The Registry is broken into hives, keys, sub-keys, values, and data. The data within the Registry can be stored in several different formats. We can have binary data, string data, text data, and also BLOB data. BLOB stands for binary large object. This slide shows us what the live Registry looks like if we open it up in Registry Editor. You can see at the top there, we have the HKEY, the handle key. We have HKEY local machine. Underneath that, we have the hives and you can see there the SAM, security, software, and system file, along with hardware driver and components. Beneath that, we have our keys. Those are sub-folders of the hives. Beneath the keys, we have sub-keys. Over the right-hand pane, you can see we have values and we have data. That is the basic structure of the Windows Registry. Now, the hive files that make up the Registry can be divided into two types of classes. They're either system-related files or user-related files. Now, the system-related files are going to consist of the SAM, security, software, and AmCache hive files. The user-related files are going to be the NT User.dat and the User Class.dat. Now, the system files will dictate system-wide settings, and the user files are going to be specific to that individual user. Every user on the system will have their own NT User.dat hive and User Class.dat hive. We are going to need specialized tools to view the Windows Registry files. When your computer boots up, the hive files get pulled into memory. They are represented by these HKs or handled keys. We're going to have HKEY local machine, HKEY classes root, HKEY current config, HKEY users, and HKEY current user. We're talking about live Registry. This is what it would look like in Registry Editor. You can see we have classes root, the handle key up at the top. Now, certain handle keys are only going to be found in the live running Registry. These are keys like HKEY current user, hardware, and HKEY current config. HKEY current user refers to the currently logged-on user. That User NT.dat and User Class.dat get pulled into memory and they contain all that user's specific settings and activities. Hardware is only going to be found on the library system and this covers Bios and current hardware configuration. Hardware is going to have information concerning the Bios and the current hardware configuration. Then we have HKEY current config. This is the current system configuration relating mainly to software. Just be aware that on a live running system, the SAM hive file and all of its sub-keys are not going to be able to be accessed. They are disabled. The security sub-key is also disabled. Looking at it through RegEditor, we won't be able to see what is contained in those hives. Now, some of our non-live Registry files of interests. We're going to take a look at the SAM, system, security, software and the AmCache file. These are system-related files. We're also going to talk about the NT User.dat and User Class.dat. The non-line Registry, as seen using Registry browser, is what this slide depicts. The Registry browser does depict it pretty much the same as RegEdit does. But with Registry browser, we can drill down into the keys and see the data within. It also helps us translate some of this data under the values, value data, and then the bottom pane data but it is laid out same way. We have the handle key at the top, we have the hives, then we have the keys, and then we have the sub-keys. In our next module, we're going to talk about the location of the Registry files within a forensic image. In this walk-through, we are going to locate and export the Windows Registry files. The items we will need for this Registry walk-through are the Windows 10 vmdk and FTK imager. Once you launch FTK imager, go ahead and load the Windows 10 vmdk. If you forgot how to do that, it would be File, Add evidence item. We're looking for an image file and you click "Next". Browse to where the image file is saved on your computer. Simply click "Open" and the file will load. Once it's loaded, go ahead and expand it. You'll see three partitions. We're going to be looking at partition 2 because that is where the operating system is. We expand partition 2 and we're going to expand the NTFS. We're going to expand root. Once we expand root, we're going to go to Windows and expand windows. We're going to scroll down to system 32. We're going to expand system 32. After we expand system 32, we're going to locate the config folder. We locate the config folder, we're going to highlight it, and then we're going to look in the file list pane. Here are all the files inside the config folder. We're looking for the SAM file, security file, software file, and the system file. Once we locate these files, we're going to go ahead and right-click and we're going to export the files. Choose a location on your computer to export them to. I'm going to choose my desktop and make a new folder and call it Win 10 Registry. Then we'll go ahead and export those files and it tells you that it copy the file successfully. Now, we're in Windows, we're going to scroll back up. We'll close up some of these folders so we can navigate easier. We'll close up system 32. When we look at the Windows folder. Under the Windows folder, we're going to expand the folder app compact. Underneath the Windows folder, we're going to expand the folder app compact. We're going to highlight the program's folder underneath the app compact, and we see our AmCache hive. We're going to go ahead and select the AmCache hive, right-click export files. We're going to go back to the folder on our desktop or wherever you saved it, where you put your Registry files. We're going to select that folder Win 10 Registry and click "Okay". Now, we're done in the Windows folder, so we'll go ahead and close that up. Now, we're going to expand the Users folder and we're going to click on the Ivan user and we're going to select the NT.dat file from the file list pane. We're going to right-click Export Files and we'll choose that same file Win 10 Registry and click "Okay", then we're going to select the Ivan user or whichever user you prefer, but let's stay with the Ivan user. We're going to check app data. After we expand Ivan, we're going to expand app data. We're going to expand local. After we expand local, we're going to expand Microsoft. We're going to scroll down, expand Window. We're going to highlight the Windows folder. Once you highlight the Windows folder and again, that's app data under the user app data, local, Microsoft highlight the Windows folder. We're going to look over in the right-hand file list pane, and we see our User Class.dat. We're going to go ahead and highlight the User Class.dat, right-click Export File. We're going to choose our same folder or Win 10 Registry. I'm going to click "Okay". Now, we've exported all our registry files from within the file system in Windows. That is the end of the walk-through.
