Working with Registry View - Computer Forensics with FTK (2014)

Computer Forensics with FTK (2014)

Chapter 3. Working with Registry View

The AccessData Registry Viewer is a standalone product that can be integrated with the FTK and allows you to view the contents of the Windows registry. Unlike the traditional Windows Registry Editor, Regedit, which displays only the current system registry, the Registry Viewer can visualize registry files from any system. It also provides access to a registry-protected storage that contains passwords, usernames, and other information that is not accessible with Regedit. However, this tool is not free. In order to use it, you will need a CodeMeter USB stick with a valid license.

In this chapter, you will understand the structure of the Windows registry files, the main features of the tool, and its integration with the forensics FTK.

You'll see how to quickly access information from the users of the operating system, such as the following:

· Username

· Logon count

· Last logon time

· Last password change time

· Invalid logon time

· Last failed logon time

Understanding the Windows registry structure

To view the contents of the Windows registry keys, we need to identify the files associated with each key. These files are located at C:\Windows\System32\Config. The path and files are shown in the following screenshot:

Understanding the Windows registry structure

Another important key is located in each user folder and is called NTUSER.DAT. The location of this file is shown in the following screenshot:

Understanding the Windows registry structure

The main feature of Registry Viewer

The first step in setting up the Registry Viewer is to add one or more of the registry files previously presented in the Registry Viewer.

This can be done by performing the following steps:

1. Click on Open in the toolbar.

2. Select the registry file and click on Open:

The main feature of Registry Viewer

The tool will interpret the data of the registry key and will present it in a friendly format, as shown in the following screenshot:

The main feature of Registry Viewer

Generating a report

You can select important keys and add them to a report by performing the following steps:

1. Select the key you would like to add to the report and right-click on it.

2. Click on Add to Report.

3. To generate the report, click on the Report option in the toolbar.

4. Click on OK:

Generating a report

Integrating with FTK

There are two different ways to manipulate the files of the registry keys. To access these files, you can use FTK Imager to locate and export these files.

The following screenshot shows a sample of this export process:

Integrating with FTK

Alternatively, you can use the FTK to export the same files, as shown in the following screenshot. You can do this by right-clicking on the registry file and then clicking on Open in Registry Viewer.

Integrating with FTK

Identifying the Time Zone setting

The correct setting of the time zone is critical for proper analysis and generation of the results of the investigation process; incorrect settings may result in erroneous claims about those facts. When you select the correct Time Zone, all MAC time information is adjusted automatically as follows:

Identifying the Time Zone setting

If you do not know the time zone of the seized computer, Registry Viewer can help you.

You can add the registry key, System, and locate the information at System\ControlSet001\Control\TimeZoneInformation, as shown in the following screenshot:

Identifying the Time Zone setting

Account information

Another important feature of the Registry Viewer is the ability to view information about all the users of the system in a very easy way. This important information is shown in the following screenshot:

Account information

Summary

This chapter covered the use of the Registry Viewer, which is presented in its interface and main features. You are now able to understand the importance of the correct use of the Time Zone feature and how to locate it within Windows registry keys. The Registry Viewer can display key bits of information about the user accounts in a friendly manner. It is certainly an important tool for conducting research on registry information that cannot be accessed by the operating system. It is easy to use and very useful during the investigation process because it allows you to quickly access information contained in the registry keys and helps to interpret their values.

In the next chapter, you will learn how to manage their investigation cases and the options for processing evidence, which is one of the most important tasks of the FTK.