The hives files (SAM, security, software and system) can mostly be located in the ‘Windows/System32/config/’ folder.Information relevant to specific users of the system is located in the ‘NTUSER.DAT’ file.You will mostly be working over dormant registry hives that are nothing more than ‘files’ resident in the evidence disk drive. As a forensics investigator, you will not be interacting with the Windows registry using the standard ‘regedit’ (Registry Editor) that ships with Windows.Registry analysis using RegRipper’s graphical interface.Determining the wireless access points information.Determining the Google Toolbar search history.Determining the remote systems that the suspect connected to.Determining the common dialogues available.Determining the presence of Trojans such as clampi, brisv, etc.Determining if the ‘NukeOnDelete’ value is set.Extracting information from the SAM hive using ‘samparse’.Determining the information stored in banners.Determining whether auditing is enabled.Tasks performed: During the course of this investigation, you will be required to perform the following tasks: Tools used: You can download RegRipper for Linux here, and RegRipper for Windows here. Purpose: Locate inculpatory or exculpatory evidence in the disk so that it may be presented in the court of law.Īssumptions: It is assumed that you have read the previous paper on ‘Windows Registry Forensics using RegRipper’ and have access to the Windows XP and/or Windows 7 registry hive files.Įvidence Disk: You can grab the EnCase image of the Greg Schardt hacking case here: part1 and part2.