180 | Page
Ch a p t e r 1 5 - R e g i s t r y M o d u l e
Copyright GetData Forensics Pty Ltd 2010 - 2015, All rights reserved.
The Registry module is accessed via the ͞Registry͟ tab:
Figure 144, Registry module tab
The Registry module is used to expand and examine Windows registry files. A
Windows registry contains a great deal of information that can be of value to the
͞The Registry contains information that Windows continually references
during operation, such as profiles for each user, the applications installed on
the computer and the types of documents that each can create, property
sheet settings for folders and application icons, what hardware exists on the
system, and the ports that are being used.͟ Windows registry information for
advanced users (12)
Unlike the Microsoft Windows registry editor, which is restricted to the current
systems registry, Forensic Explorer allows the forensic investigator to examine registry
files from any computer.
WINDOWS LOCATION OF REGISTRY FILES
The Windows Registry is physically stored in several files. The number of files, their
name and location, will vary depending on the version of Windows in use. See
http://support.microsoft.com/kb/256986 ͞Windows registry information for advanced
users (12)͟ for detailed information.
In most cases the forensic investigator will target the following Windows registry files:
Windows 95, 98, and ME operating systems have two registry files, located in the
C:\Windows folder and or Windows\profiles\user profile\ folder:
Windows NT based operating systems separate system registry data into four
files, located in the C:\Windows\system32\config\ folder:
User settings are stored in a separate file called ntuser.dat inside the user path.