AccessData Registry Viewer 101 PDF
Document Details
Uploaded by EasyToUseScholarship2314
Coventry University
Tags
Summary
This document provides an overview of the AccessData Registry Viewer, covering topics such as registry files, the user interface including value panes, and security accounts manager (SAM). It explains how to navigate the system. This is a guide for learning Registry Viewer.
Full Transcript
AccessData Registry Viewer 101 Module Objectives Registry Files Registry Viewer Interface Key Features of Registry Viewer Basic Reporting Time Zone Settings User SID OS Version User Artifacts What is the Registry? Microsoft describes it as: “…a central hierarchic...
AccessData Registry Viewer 101 Module Objectives Registry Files Registry Viewer Interface Key Features of Registry Viewer Basic Reporting Time Zone Settings User SID OS Version User Artifacts What is the Registry? Microsoft describes it as: “…a central hierarchical database used … to store information that is necessary to configure the system for one or more users, applications and hardware devices.” System wide storage for Per computer settings Per user settings Stores date and time settings like a log “Registry” exists only when booted up On shutdown – stored in hive files Registry – History DOS used two files Autoexec.bat – User configurations Config.sys – Hardware settings Windows 3.x.ini files Windows 9.x System.dat, User.dat Windows XP-10 SAM, System, Software, Security, NTUSER Benefits of the Registry MRUs Typed URLs System users Installed devices System time settings Registered user information Passwords and password hashes Internet search queries and form data Date and Time of Registry key updates Network and wireless setting and connections Registry Files – Computer SAM SOFTWARE SYSTEM SECURITY \\systemroot\system32\config Registry Files – User NTUSER.DAT \\Users\username\ Registry Viewer – Stand Alone Export the registry file from Imager and add it to RV The Interface Value Pane Menu Bar Toolbar Hive Key Tree Pane Key/Subkey Values Properties Pane Status Bar Hex Viewer - Values Adding Keys To Reports Generating a Report Reloading a Report System – Select Key Pre-Windows 8 Two Control Sets Post-Windows 8 One Control Set System – Time Zone Settings System Registry Current Control Set\Control\TimeZoneInformation System – Time Zone Settings Important: You are determining whether DST was in use at all, not if it was in effect at the time of seizure! Determination below is by analyzing the Key Properties Pane Daylight Savings was being used. Daylight Savings was NOT being used. System – Time Zone Settings Can be set by a user or by Security policy System – Time Zone Settings Translated into “FTK speak” as… Security Accounts Manager When a User account is created, the User account name is created in the SAM file. Each User is given a unique RID number. SAM – Security Identifier SIDs are unique Composed of three distinct areas Issuing Authority Machine Identifier Relative Identifier Issuing Machine RID 1-5-21-1292428093-1708537768-1134106739 - SAM – User Information Software Stores information about software installed on the computer Stores per user computer settings for all users Stores file extension associations in the Classes subkey User and operating system information are stored in \ WindowsNT\CurrentVersion Software – OS Version The version of the operating system Microsoft\WindowsNT\CurrentVersion NTUSER What the user did on the computer can often be found here. MRUs Typed URLs Internet search queries and form data Recent Documents Internet Explorer Start Page Module Review Registry Files Registry Viewer Interface Key Features of Registry Viewer Basic Reporting Time Zone Settings User SID OS Version User Artifacts
