There is a great deal of activity that occurs under the hood with the Windows operating system. One place that this activity occurs is in the Windows Registry. The Windows Registry is a database that stores the low-level system settings for the Windows operating system. This includes settings for devices, security, services, and the storage of user account security settings in the Security Accounts Manager(SAM).

The registry is made up of two elements. The first is the key.The key is a container that holds the second element, the values. These values hold the specific settings information. The highest-level key is called the root key and the Windows operating system has six root keys or registry hives, which are located in the system32 folder on the Windows file structure. The following are the six registry hives and their associated locations in the Windows file structure:

• HKEY_LOCAL_MACHINE SYSTEM :system32configsystem
• HKEY_LOCAL_MACHINE SAM : system32configsam
• HKEY_LOCAL_MACHINE SECURITY :system32configsecurity
• HKEY_LOCAL_MACHINE SOFTWARE :system32configsoftware
• HKEY_USERS UserProfile :winntprofilesusername
• HKEY_USERS.DEFAULT :system32configdefault

Analysts can access the various registry hives using Autopsy. Simply navigate to the vol3/Windows/System32/config folder in the file structure in the left-hand pane:

In the center pane, the SAM registry file is located:

The actual examination and evidentiary value of registry key settings is, like many of the aspects of digital forensics, very detailed. While it is impossible to cover all of the aspects of registry forensics in this chapter, or even in this book, it is important for analysts to first be able to acquire the registry keys for evaluation, as well as to have some familiarity with tools that can allow analysts to gain some hands-on experience with evaluating registry settings.

In this case, the system, SAM, security, and software registry keys will be acquired for analysis. For this, the analyst can use Autopsy to acquire the proper keys and then examine them with a third-party tool:

1. First, navigate to the proper folder, /System32/config, on the third volume of the system image.
2. Next, select the four registry keys using the right mouse button and Ctrl key. Right-click on one of the files and select Export File(s).

3. Select a folder to output the registry keys. In this case, a separate file folder was created to contain the keys. Select Save.
4. Verify that the registry keys have been saved:

The preceding screenshot shows the four registry files that have been acquired.

Now that the suspect image's registry files have been saved, the analyst can then use a third-party tool to examine the registry. In this case, the Registry Explorer/RECmd Version .0.9.0.0 tool developed by Eric Zimmerman will be used to analyze the registry keys.This freeware application can be downloaded from https://ericzimmerman.github.io/. Unzip the file to a location and the application is ready to execute.

As the analysis of the image has progressed, the analyst has identified that a potential data loss has occurred via a USB device that was attached to the system at some point. While Autopsy has provided us some information, it may be necessary to find out what registry key settings have been changed as a result of the USB being connected. The best location for additional information is contained within the system registry hive.

The Windows operating system records and maintains artifacts of when USB devices such as mass storage, iOS devices, digital cameras, and other USB devices are connected. This is due to the Plug and Play manager, which is part of the Windows operating system. The PnP receives notification that a USB has been connected and queries the device for information so that it can load the proper device driver. Upon completion, the Windows operating system will make an entry for the device within the registry settings.

To determine what USB devices were connected, follow these steps:

1. Open Registry Explorer.
2. Click File and then Load Offline Hive.
3. Navigate to the system registry hive.

4. Once loaded, the following window appears:

From here, navigate down to the proper USB registry location atCurrentControlSetEnumUSBSTOR:

5. Click on the first registry value, 4C530012450531101593&0. The following information will appear in the upper right-hand pane:

From here, the analyst has a good deal of information that can be reviewed. Of particular importance is the HardwareID. Clicking on that section of the output produces the following in the lower right window:

What the analyst has been able to uncover by evaluating the date and timeis that a SanDisk Cruzer Fit was first connected to the system. The analyst was able to ascertain that it was connected at 13:38:00 on 03/24/2015. This is critical when compared to the date and time that the confidential files were accessed.

As was previously stated, registry analysis is a deep subset of digital forensics in and of itself. Whole volumes have been written on the evidentiary value present in the settings and entries in registry hives. At a minimum, analysts should be prepared to at least acquire this evidence for others for further examination. Having said that, as analysts gain more and more experience and skill, the registry should be an area that can be leveraged for evidence when examining a disk image.