The Windows Registry is one of the richest evidence sources in computer forensics. It records nearly every significant system and user action: software installed and when, devices connected, files recently opened, network connections, user account activity, and much more.
Most users don’t know it exists. Forensic examiners know it intimately.
Registry Structure
The Registry is organized into hives — sections of the registry stored as files:
SYSTEM: System configuration, hardware, services, and network settings. Located at `C:\Windows\System32\config\SYSTEM`.
SOFTWARE: Installed software, OS settings, and application configuration. At `C:\Windows\System32\config\SOFTWARE`.
SAM (Security Account Manager): Local user accounts and password hashes. At `C:\Windows\System32\config\SAM`.
SECURITY: Security policy and audit settings.
NTUSER.DAT: Per-user hive. Found in each user’s profile at `C:\Users\[username]\NTUSER.DAT`. Contains user-specific settings, recent files, and activity.
UsrClass.dat: Per-user class registrations. Located at `C:\Users\[username]\AppData\Local\Microsoft\Windows\UsrClass.dat`.
Key Forensic Artifacts in the Registry
Recently opened files (RecentDocs): `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` — tracks files recently opened in Windows Explorer by extension and overall. Shows filenames and order of access.
UserAssist: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist` — encoded records of GUI programs executed, with run count and last execution time. Entries are ROT-13 encoded but trivially decoded. This is one of the most valuable artifacts for proving a user ran a specific program.
ShimCache (AppCompatCache): `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache` — tracks executables that ran or were present on the system. Records the file path, last modification time, and a flag indicating whether the file was executed on some Windows versions.
BAM (Background Activity Moderator): `SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\[SID]` — records programs executed in the background with last execution timestamps. Available from Windows 10 onwards.
MRU (Most Recently Used) lists: Multiple locations throughout NTUSER.DAT track recently used items: recently run commands (`RunMRU`), recently typed paths (`TypedPaths`), recently searched terms (`WordWheelQuery`).
USB device history: `SYSTEM\CurrentControlSet\Enum\USBSTOR` — every USB storage device connected to the system, including device type, manufacturer, product name, serial number, and first/last connected times.
Network connections: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles` — previously connected networks with connection timestamps.
Startup programs: `SOFTWARE\Microsoft\Windows\CurrentVersion\Run` and `NTUSER.DAT\…\Run` — programs configured to start automatically. Malware frequently adds entries here.
Installed programs: `SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` — list of installed software with installation dates.
Registry Last Write Times
Every registry key has a “last write time” — the timestamp of the most recent modification. This is the only timestamp natively stored in the registry (there are no separate created/accessed times).
Last write times are critical for establishing when changes occurred and building timelines.
Registry Analysis Tools
RegRipper: Open-source Perl script that automates extraction of forensic artifacts from registry hives. Plugins target specific keys and produce formatted output. The standard tool for registry analysis.
FTK (Forensic Toolkit): Includes registry viewer and RegRipper integration.
Autopsy: Includes a Registry Viewer module for basic key browsing.
Registry Explorer (Eric Zimmermann): Excellent free tool for manual registry browsing with search and bookmarking. Zimmermann’s forensic tools are widely used in the field.
Volatility: For registry analysis from RAM images — live registry hives in memory may contain keys not yet written to disk.
Registry in Malware Investigations
Malware analysis routinely involves the registry:
FAQ: Windows Registry Forensics
Q: Can deleted registry keys be recovered?
A: Yes. Like SQLite databases, the registry stores deleted key data in “slack” space within the hive files until that space is reused. Tools like RegRipper and specialized parsers can recover deleted keys from registry hive slack.
Q: Does clearing the Windows registry cover tracks?
A: Not effectively. Registry “cleaning” tools remove specific keys, but they can’t erase the last write times that show something was modified. The absence of expected keys is itself suspicious. And many registry-based artifacts are preserved in multiple locations.
Q: Is the registry present on every Windows computer?
A: Yes, on all modern Windows versions. The specific hive files and key locations vary between Windows 7, 10, and 11, but the fundamental structure is consistent.
Q: How long does a typical forensic examination take?
A: Timelines vary based on data volume and case complexity. A single device may take one to three days; multi-device investigations can span weeks.
Q: What certifications should a digital forensics examiner hold?
A: Common certifications include EnCE, CFCE, CCE, and GCFE. Relevance depends on the examination type and the jurisdiction’s expectations.
Case Example
In a civil dispute, one party alleged digital evidence had been altered after a preservation obligation arose. The forensic examiner compared file system metadata against the litigation timeline and found several files modified after the preservation letter was received. A system cleanup utility had been run during the same period. The examiner documented the specific artifacts indicating post-preservation modifications, distinguishing between routine system operations and deliberate user actions, providing the court with a factual basis for evaluating the spoliation claim.
Practitioner Takeaways
- Verify forensic images with cryptographic hashing before analysis.
- Document every examination step for reproducibility.
- Cross-reference findings across multiple artifact types.
- Note tool versions used — behavior changes between versions affect reproducibility.
- Distinguish facts from inferences in your report.
See also: Browser History Analysis | Email Header Analysis Authentication | Log File Analysis
Need Professional Digital Forensics?
Octo Digital Forensics provides expert mobile forensics, data recovery, and digital investigation services for attorneys, insurance companies, and private investigators. Court-admissible reports. Certified examiners.
Contact: octodf.com | info@derickdowns.com | (858) 692-3306
