Within the information we can get in a forensic analysis of a Windows computer, windows registry provide us with interesting information about the computer installation, users, installed programs …
Where can we find these files?
On Windows XP, Windows Vista, Windows 7 and Windows 8 operating systems (among others), log files can be found in the following path:
C:\Windows\System32\config\
The interesting records will be:
- \DEFAULT
- \SAM
- \SECURITY
- \SOFTWARE
- \SYSTEM
The first thing we do is extract these files from a test environment to see what information we can get from each of them. The program that we use to see the information they contain is “Windows Registry Recovery“.
The records that provide us with more information are SAM, SOFTWARE and SYSTEM, in this post we will see some of the information stored in SYSTEM, and in the next post we will show you the results of the SAM and SOFTWARE files.
C:\Windows\System32\config\SYSTEM:
Network configuration:
Last known hardware configuration:
We hope that this post has been of interest to you. We will write much more about stored data into Windows Registry in our next post. J
Translated by @ANAgarneg