The structure of the Windows Registry. In this section, we're going to take a look at the Windows Registry structure and we're going to take a look at the keys and values contained within the structure and how we're going to interpret that data. Next slide, the Windows Registry, like I said, is a hierarchical database. So we have hives, keys, sub keys, values and data. And the data can be stored in a lot of different ways. We're going to see binary data which will be shown to us in hex, we're going to see string data, we will see hex data like I said and we're going to see BLOB data. We're going to see all kinds of data in the registry and we do have to know how to interpret that data and how to interpret it properly. This slide shows a graphical representation of the live registry using RegEdit. At the top we see H key local machine, H key is referred to as handle key beneath that we see some hives. Then we see keys, then we see sub keys and over in the right hand pane we see name, type and those would be values and then we see data. The hive files that make up the Windows Registry, we have system files which pertain to the system SAM ,system, security, software and Amcache. And we're going to talk about each of these in great depth and what we can find in them. And then we have user created files or files that refer to the user which are our user class.dat and our NT user.dat. We're going to need specialist tools to view these registry hives. And it's very important that we understand that each of these hives is going to contain specific data relating either to the user or the system. And we're going to need to use some type of specialist tool to see it laid out in that hive key sub key fashion. How the registry works, we have these keys that are stored on our local system when we boot up our local system, the hive files. Like we just saw in the last slide SAM, system, security, software. And to user, these are all pulled into those handle keys and the handle keys are going to be represented to us. Like we saw in the slide and we looked at RegEdit, we're going to see HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_USERS and HKEY_CURRENT_USER. Now, what I really want you to understand is this, registry when it's running it's pulled up in RAM and it's pulled from those files and I just want you to get an idea of what it's going to look like. We will go into which handle keys are pulled from which hive files. But right now I just want to give you an idea of what the structure of the registry is and what the registry is. The live registry, as we can see in the live registry again, we have our handle keys. HKEY_CURRENT_USER, right underneath HKEY_CLASSES_ROOT outlined green there. That file is only going to be found on a live running system, it's only going to exist in RAM, it's not going to exist on a dead box. What that is giving you, it's an alias for the currently logged on user. So it's pulling from HKEY_USERS and coming up with whichever user is currently logged on and giving it to you as HKEY_CURRENT_USER. Hardware is also another file that will not be found on a dead box that file only exist in RAM. It is not written to the hard drive and what that contains is BIOS and hardware configure information. HKEY_CURRENT_CONFIG, is our 3rd file and in green and this file is only found on a live system and I just want to make you aware that these three files are only going to be found on the live registry system. And the reason is they're pulled from the hives that we talked about before to show you the currently logged on user, the current configuration and the hardware that is currently accessed on the system. Another thing I want to make you aware of is when you're looking at a live registry access to the SAM and security sub keys will be disabled. You will not be able to get into those sub keys on a live system, but we will on a bit stream copy or a dead box and we'll talk about more in debt in detail as we go along. These are our non live Windows Registry files and these are the files that are written to discs, that are pulled into memory when we activate our machine, when our machine boots up. And this is what creates our handle keys, as we saw in the previous slides. As we go through this course, we're going to start looking at the actual live registry and non live registry. And we're going to start pulling out the files and showing where they're located and showing you how to extract them from both a live machine and a non live machine.
