The following extract is from an unpublished paper I previously worked on:
"The Windows registry is stored across a number of different files, referred to as ‘hives’. Within Windows 95, and later 98 and ME, these hives were named ‘system.dat’ and ‘user.dat’, and stored within the Windows installation folder. Windows NT and its successors were more centred on multiple users, and therefore store their files under both the Windows installation folder and the user’s own folder (Casey, 2004, p. 276)."
'Casey' in this case refers to the book 'Digital Evidence and Computer Crime'. Other papers (most notably, 'Mee, V., Tryfonas, T., & Sutherland, I. (2006). The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage. Digital Investigation , 166-173.') go into significant detail about the structure of the registry, but miss one important element: how do we view the registry without a registry editor?
Surprisingly enough, documentation on this is scarce; even the copy of Microsoft Press's 'Windows Registry Guide 2nd Edition' next to me don't even touch on it, assuming at all times that the registry can be loaded without need for further intervention. A number of tools are available (including the 'regedit' tool built into Windows), but unless source is available this is of unfortunately little use.
Therefore, a new required component for this project is one capable of programmatically loading a registry file, and providing an interface into the data itself. The format of the registry differs between versions of Windows, but the following two papers give some indication of a method of parsing the registry file:
It should be noted that the registry replaced the .INI files that existed on older versions of Windows; Unix still uses a similar concept with '.' configuration files, and due to being stored within the filesystem both these are significantly easier to parse.
No comments:
Post a Comment