CyberCode Academy
Avsnitt

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

CyberCode Academy
Dela

In this lesson, you’ll learn about: Windows Registry structure and forensic analysis1. What is the Windows Registry?

  • A centralized configuration database in Windows
  • Stores system, user, and application settings

🔹 Core Idea

  • Think of it as the brain of Windows configuration

2. Registry StructureThe registry is organized in a strict hierarchy:🔹 Components

  • Hives
  • Keys
  • Subkeys
  • Values

🔹 Analogy

  • Hive → main database file
  • Key → folder
  • Value → actual data entry

3. Main Root Keys🔹 Key Windows Registry Roots

  • HKEY_LOCAL_MACHINE (HKLM)
  • HKEY_CURRENT_USER (HKCU)

🔹 What they represent

  • HKLM → system-wide settings
  • HKCU → settings for the logged-in user

4. Physical Storage of Registry Hives

  • Stored on disk in:

C:\Windows\System32\config 🔹 Why this matters

  • Investigators can extract registry data directly from disk
  • Even if Windows is not bootable

5. Core HKLM Sub-Hives🔹 SAM (Security Accounts Manager)

  • Stores:
    • User accounts
    • Password hashes

🔹 SECURITY Hive

  • Stores:
    • Local security policy
    • LSA secrets
    • Authentication data

🔹 SOFTWARE Hive

  • Stores:
    • Installed applications
    • Configuration settings

🔹 SYSTEM Hive

  • Stores:
    • Drivers
    • Services
    • Boot configuration

👉 Key Insight:

  • These hives are critical for system and user reconstruction

6. Modern Windows Registry Extensions🔹 Newer Hives

  • BCD (Boot Configuration Data)
    • Controls boot process
  • ELAM (Early Launch Anti-Malware)
    • Protects early boot stage
  • Browser-related application data hives

👉 Purpose:

  • Improve security and system initialization

7. Forensic Extraction Tools🔹 Common Tools

  • FTK Imager
    • Used to extract registry hives from disk
  • Registry viewers (offline analysis tools)

🔹 Why FTK Imager matters

  • Bypasses OS restrictions
  • Works on live or dead systems

8. Registry Analysis Workflow🔹 Step-by-step process

  1. Acquire disk image
  2. Extract registry hives
  3. Load into analysis tool
  4. Examine keys and values

9. What Investigators Look For🔹 Key Evidence Types

  • User activity
  • Installed software
  • System boot history
  • Malware persistence mechanisms

Key Takeaways

  • The registry is a central configuration database for Windows
  • It is structured into hives, keys, and values
  • Critical hives include SAM, SECURITY, SOFTWARE, SYSTEM
  • Registry files are physically stored on disk
  • Tools like FTK Imager enable offline forensic extraction

Big PictureRegistry analysis helps you:👉 Move from system configuration → user and attacker behavior reconstructionMental Model

  • Registry = Windows “black box” of system activity



You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

Rss Apple Podcaster
Podden och tillhörande omslagsbild på den här sidan tillhör CyberCode Academy. Innehållet i podden är skapat av CyberCode Academy och inte av, eller tillsammans med, Poddtoppen.