Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

In this lesson, you’ll learn about: Windows Registry structure and forensic analysis1. What is the Windows Registry?A centralized configuration database in WindowsStores system, user, and application settings🔹 Core IdeaThink of it as the brain of Windows configuration2. Registry StructureThe registry is organized in a strict hierarchy:🔹 ComponentsHivesKeysSubkeysValues🔹 AnalogyHive → main database fileKey → folderValue → actual data entry3. Main Root Keys🔹 Key Windows Registry RootsHKEY_LOCAL_MACHINE (HKLM)HKEY_CURRENT_USER (HKCU)🔹 What they representHKLM → system-wide settingsHKCU → settings for the logged-in user4. Physical Storage of Registry HivesStored on disk in:C:\Windows\System32\config 🔹 Why this mattersInvestigators can extract registry data directly from diskEven if Windows is not bootable5. Core HKLM Sub-Hives🔹 SAM (Security Accounts Manager)Stores:User accountsPassword hashes🔹 SECURITY HiveStores:Local security policyLSA secretsAuthentication data🔹 SOFTWARE HiveStores:Installed applicationsConfiguration settings🔹 SYSTEM HiveStores:DriversServicesBoot configuration👉 Key Insight:These hives are critical for system and user reconstruction6. Modern Windows Registry Extensions🔹 Newer HivesBCD (Boot Configuration Data)Controls boot processELAM (Early Launch Anti-Malware)Protects early boot stageBrowser-related application data hives👉 Purpose:Improve security and system initialization7. Forensic Extraction Tools🔹 Common ToolsFTK ImagerUsed to extract registry hives from diskRegistry viewers (offline analysis tools)🔹 Why FTK Imager mattersBypasses OS restrictionsWorks on live or dead systems8. Registry Analysis Workflow🔹 Step-by-step processAcquire disk imageExtract registry hivesLoad into analysis toolExamine keys and values9. What Investigators Look For🔹 Key Evidence TypesUser activityInstalled softwareSystem boot historyMalware persistence mechanismsKey TakeawaysThe registry is a central configuration database for WindowsIt is structured into hives, keys, and valuesCritical hives include SAM, SECURITY, SOFTWARE, SYSTEMRegistry files are physically stored on diskTools like FTK Imager enable offline forensic extractionBig PictureRegistry analysis helps you:👉 Move from system configuration → user and attacker behavior reconstructionMental ModelRegistry = Windows “black box” of system activityYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy