A Presentation on Registry forensics from one of my lectures. Thanks to Harlan Carvy and Jolanta Thomassen for wonderful researches in the field. The work is based on their researches

1. Registry Forensics Boonlia Prince Komal Shri

5. Basic Concepts in Registry System Administrator Terminology

6. Basic Concepts in Registry Forensic Investigator’s Terminology

7. Mapping the Registry file BCD (Boot configuration data replaced Boot configuration {Boot.ini} in Vista and onwards USRCLASS.DAT is merged with NTUSER.DAT when the user logs in to provide complete configuration

8. Mapping the Registry files cont..

10. The Base block structure Do we need to see the hive in hex editor ? Observe This Value

11. The hbin structure

12. Lets Torn Apart the Hive file structure (Logical Structure)

13. Lets Torn Apart the Hive file structure (Logical Structure)

14. Compare what you see with the previous slide

15. Key Cell Binary Structure

16. Key Cell Structure

17. Sub Key List Cell Structure lf/lh type key list Ri/li type key list

18. Value Key and Value List Value Key Value List

19. Value Data and Value Data Type Value Data Value Date Type

20. Time to look at the file in hex editor

24. Lets cross check it

28. Is that all?????? Its just the start……… Q&A My Info [email_address] Twitter: http:// twitter.com/boonlia Facebook: http://www.facebook.com/profile.php?id=1701055902