6.4 Registry Viewer
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:01
>> Hi, welcome back. In this lab,
00:01
we are going to learn how to extract data
00:01
>> and information from the System Registry.
00:01
>> By using the AccessData Forensic Toolkit
00:01
which can scan a hard drive, a file,
00:01
>> or an image looking for various information.
00:01
>> For this lab, you will need
00:01
a Windows Operating System environment, a web browser,
00:01
and you will also need the latest version
00:01
of AccessData FTK Imager,
00:01
and AccessData Registry viewer
00:01
installed on your computer.
00:01
First, login into your Windows machine
00:01
and open a web browser.
00:01
I have in here Google Chrome
00:01
running on a Windows 10 environment.
00:01
Search for AccessData FTK Imager
00:01
and AccessData Registry viewer,
00:01
or you can go directly to the link in the guide.
00:01
In the website, you'll be able to download
00:01
>> and install the tools required.
00:01
>> Remember, we need to install
00:01
Registry viewer and FTK Imager.
00:01
You may need to provide some information
00:01
>> like name and email in order to download the tools.
00:01
>> The installation is pretty straightforward.
00:01
You just need to follow the wizard,
00:01
agree with the terms,
00:01
and click on "Next".
00:01
That is why I'm skipping the step
00:01
as I already have the tools installed.
00:01
Open AccessData FTK Imager.
00:01
This is the most widely used standalone disk image
00:01
in program to extract
00:01
the windows registry from a computer.
00:01
Click on the at "Evidence Item" button
00:01
>> and select "Logical Drives"
00:01
>> to extract data from a partition.
00:01
>> We can extract data from the hard drive
00:01
>> by clicking physical drive.
00:01
>> We can also extract data
00:01
>> from an image file or a folder.
00:01
>> Select the "Source Drive".
00:01
In my case, I'm selecting the C drive of my computer
00:01
>> to extract the local registry.
00:01
>> Expand the evidence tree.
00:01
Wait for the scan to finish
00:01
>> and go to Windows, System32, config.
00:01
>> In here we can see this Registry hive supporting files.
00:01
As we analyze in the previous videos,
00:01
the windows registry contains
00:01
a root key titled HKEY_LOCAL_MACHINE,
00:01
which contains settings that
00:01
relate to the local computer.
00:01
There are four main sub keys under this key,
00:01
>> SAM, SECURITY, SOFTWARE, and SYSTEM
00:01
>> which we can see here.
00:01
>> We can also see the new registry hive,
00:01
>> such as the Early Launch Anti-malware or ELAM,
00:01
and the Browser-Based Interface or BBI.
00:01
You may want to watch the previous videos
00:01
>> in this module to see the definition of each hive.
00:01
>> To export a file,
00:01
right-click on it and select "Export Files".
00:01
We're going to explore the SAM file as we know
00:01
that it contains information about windows accounts.
00:01
To open the file exported,
00:01
open AccessData Registry viewer.
00:01
Drag and drop the SAM file into the application.
00:01
We will see the registry keys related to this hive,
00:01
with information about the Windows users
00:01
and groups in a hives format.
00:01
Feel free to explore the rest of the Registry Hive
00:01
>> and learn what we can find on them.
00:01
>> Don't forget to check the references
00:01
and supplementals for more information.
00:01
In the next module,
00:01
we will talk about some important information
00:01
>> to look for when analyzing the evidence.
Up Next
Similar Content
