Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
how will come back to the course in the last month. We started with the window foreign citizenship by analyzing the security identifiers or excited he's immoral. Six. We're going to talk about the system registry
00:12
There is to hide the structure and sundry store room keys
00:18
before that. Here's a pre assessment question for you.
00:21
What is the most common way to access the system for history in Windows?
00:25
Is it a by the Internet sport? Where bro sir, or be using the windows leads to a little up? Let's also called Reject it or see by your bring the hard drive or maybe D using dearie.
00:37
Although it is true that we can use specialized forensic tools to access the registry, the most common way to access the system restoring Windows it's by the window raised also called her a jet. It. So the answer here is be
00:51
their Windows right. History is assistant defined data ways, in which application consisting components stored under trees configuration data.
00:59
The Windows operating system provides race creepy eyes to retrieve, modify or delete Christie objects such as keys values on data.
01:08
They're Theresa contains information that we know is continually references during operation. So she has profiled for issue, sir, the application installed on the computer on the type of documents that East can create property she's setting for full. There's an application I comes with. Her works is on the system on the force that are being used.
01:27
Restored replaces most of the text based. Any fires
01:32
there are used in Windows three animist. Those configuration files, such as they out to accept that but and conflict that sees.
01:40
Although the history is common to several Windows operating systems, there are some differences. I'm on them. For instance, in Windows 98 the rest in five. Our name you, sir, that that on system that that in Windows 1,000,000. In addition, the restaurant fires are named classes that dot on you, sir, that that
01:59
I'm system, that that
02:00
from a digital forensics point of view, the Windows Right history is one of the primary targets for Windows. France six. As a special box interim not only configurations off the British system and usually start applications Bourassa meaningful data that can be useful for identifying users behaviors on reconstructing their past events.
02:22
Windows released analysis techniques aren't really generally being used in window forensics
02:29
in more than window systems that released is composed off duty with her history Heights on East Race Too high, there is a group off keys. Keys on values is actually stored into a witness's refile, Also known as the Hi Fi. As a backup container,
02:46
it's time a new user looks onto a computer. A new heist is created for that user with a separate file for the user profile. This is called the user Profile. HaIf I User hive contains a specific, released information about the use application settings there. Stop Environment Network connections on printers.
03:06
The S Ky. You thirst key concerns us. A. Profile heists.
03:13
The Windows for History has a structure similar to a window. Falls there. Some files. Its main folder is named as a haIf. Its height contains for folders called Keys.
03:24
This Key's contains two keys with configuration values for his software or system component. Off the computer, each key has a name consistent off one or more printable characters. Key names are not case sensitive,
03:38
and the name's cannot include the bags. Last character, but any other brutal character come used value names and data can include the Backlash character.
03:49
The name off key is unique with respect to the K there is immediately have of it in the Cherokee, kidneys are not localized into other languages at the values My V.
04:00
The most common way to access the history is by the window for history. Area up it also car project it
04:08
the key local machine key has the keys hard world, some security so far on sister
04:15
ease off this Keyes has a key. For example, the hard work e hasn't kissed this creation device. Mom Under source Mom,
04:24
the vice monkey has seven. Also case, including video.
04:28
A recent tree. Come be 512 levels deep
04:33
that research can't be accessed both on a life machine and an image. This 40 files for all haIf said escape current user are in the system root system through to conflict folder on Windows NT four Windows to Tulsa. We use X speed Windows Server Toto 73 on Windows Vista.
04:53
This 40 fives for Hiskey current user are in their system route. Profile issues earning folder, as we can see in the table, displayed the fandom extension off the fighting. These folders indicate the type of data that they contain. For example,
05:09
that look indicates a transaction. Log off changes to the keys on value entries in the haIf.
05:15
That s a V is a backup copy off a haIf. Also, the lack of an extension indicated the fire is a complete copy of the haIf data.
05:26
Okay, here's a quick question for you.
05:29
The supporting Faisal Which highs are stored in the system route Pra fais username folder. Is it a kicker and user? Or be a stick or in conflict or C s Q Local machine or the Jessica Fruit?
05:43
If you said a you're correct. All older highs store the files in the folder locator system root system to little config.
05:55
A quick examination off the history win that wretched. It shows that the database is built on fry stop level keys.
06:01
His key classes route escape, Corrine user s key local machine. Hiskey users are hasty Current conflict
06:11
hiskey classes Fruit is dedicated to store information off the so far settings about the fire system
06:16
sure could information or information and find associations and other user interface in formation.
06:23
The final association information essentially used by Windows to invoke the correct program when I finally spoken, you soon lose. Exploder
06:33
is kick or anti user, sometimes abbreviated us. A key issue contains their route off the configuration information for the user who is currently looking
06:45
leaves. His folders, screen colores and Contra print settings are stores in here.
06:49
This information is associated with the uses. Profile on its updated US users makes changes to their environments
06:58
The day your Eyes Destructive from the Ski You Frisky, which contains user information for all accounts on the sister.
07:05
Excuses contains the configuration settings for each hardware answer for items in the system. Correspondent of each of the users off the computer system,
07:16
the information. The uses, folders, user's choice of things, coolers and culture. Parents settings are store here. Us uses precise.
07:25
Have you analyzed this high half a key for issues are storing his or her user profile.
07:31
Hey, ski you sirs is sometimes abbreviated us. H k u.
07:39
This key Korean conflict extract data from the ski local machine. Key on contains information about the harbor provide that is used by the local computer Out system startup.
07:49
This heist is dynamic, meaning it is built on the room.
07:57
A ski local machine contains configuration information. Articular to the computer for any user.
08:03
This key sometimes irradiated. Us H Key Ln on Windows NT on recent versions. This key contents force of kiss some security system and suffer that our road. It's a boot time within the respective fais locator in the system root system, too.
08:22
Conflict Folder.
08:24
Ah, fifth Suki Hardware is volatile, and it's created dynamically on a source is no start in a file.
08:33
Okay before finishing Who's supposed assessment question for you
08:37
with Race Turkey contains the route off the configuration information for the user who is currently looked on.
08:45
Is it a pesky classes route or B s key conference user or C s key local machine or the key users?
08:56
If you say be, you're correct.
08:58
S. Ki current user provides access to configuration data for the active user on the B C.
09:05
Don't forget shaving the references. Respiratory material for more information. HaIf under Windows registry On the next video, we're going to analyze on components of the wind over history on some new highs

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor