Today we discussed the Windows registry: It's organization, the persistent components on disk and the volatile components in memory, it's structure, and its forensic value

I strongly recommend the following resources:

• Inside the Registry (Mark Russinovich)
• The Windows NT Registry File Format Version 0.4 (Timothy Morgan)

A Few Forensic Applications

Below are a few example items I have commonly found useful within the Registry. There are certainly plenty more:

• Computer name
• Timezone
• MAC address(es)
• Wireless SSIDs
• Mounted shares
• Audit policies
• Auto start applications (per user)
• Services (system)
• Mounted USB devices
• Timestamps (entries, sorted by time, can function as a sort of log)