The Windows Registry is a hierarchical database of configuration settings. For a Forensic Analyst, it is a gold mine. Even if a hacker deletes their malware file, the artifacts of its execution remain stamped in the registry hives forever.

The Hives

The registry is stored on disk in files called "Hives" located in C:\Windows\System32\config\:
SAM: User accounts and password hashes.
SYSTEM: Service configuration, Timezone.
SOFTWARE: Installed programs info.
NTUSER.DAT: (In User Profile) User-specific actions.

1. Evidence of Execution

The biggest question in IR: "Did `evil.exe` run on this machine?"

1.1. UserAssist (ROT13)

This key tracks GUI-based execution. Used to populate the Start Menu "Frequently Used" list.
Location: `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist`
Data: File Path (ROT-13 encoded), Run Count, Last Execution Time.
Meaning: If you see `evil.exe` here, the user double-clicked it.

1.2. ShimCache (AppCompatCache)

Used for application compatibility. It tracks file metadata (Size, Compile Time) for every executable that was visible to the OS, even if it wasn't run.
Location: `SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`
Value: PROOF that a file existed on disk at some point.

1.3. AmCache.hve

A separate hive file. It stores the SHA1 hash of executed programs.
Forensic Gold: You can match the hash in AmCache to VirusTotal to prove malware was present.

2. ShellBags: Folder Access

Question: "Did the hacker open the 'Confidential' folder?"
ShellBags track the window size/position of folders viewed in Explorer.
Location: `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
If a folder exists in ShellBags, the user definitely navigated to it. It persists even if the folder is deleted.

3. USB Device History

Question: "Did the insider steal data via USB?"
The registry tracks every USB device ever plugged in.

SYSTEM\CurrentControlSet\Enum\USBSTOR

This contains the Vendor, Product, and Serial Number of the USB drive. You can match the Serial Number to the physical device found in the suspect's pocket.

4. Tools of the Trade

We don't browse `regedit` manually. We parse the hives.

4.1. RegRipper

The industry standard (Perl based). It uses "plugins" to extract intelligence.

rip.pl -r SAM -p samparse rip.pl -r NTUSER.DAT -p userassist rip.pl -r SYSTEM -p usb

4.2. Eric Zimmerman's Tools

Registry Explorer: A GUI tool that handles dirty hives better than regedit.
AppCompatCacheParser: Specifically for ShimCache analysis.

5. Timezone & LastWrite Time

Registry keys have a "Last Write" timestamp (like file modification time).
By correlating the `LastWrite` of the "Run" key with a file creation event, you can build a timeline of the attack.

Case Study

A laptop was wiped. The user claimed they "didn't copy any files".
Forensics recovered the `SYSTEM` hive.
Analysis of `USBSTOR` showed a 1TB Western Digital drive was plugged in at 11:55 PM.
Analysis of `ShellBags` showed the user navigated to `D:\Financial_Reports`.
Verdict: Guilty.

Related Topics
#DigitalForensics #RegistryForensics #DFIR #IncidentResponse #EricZimmerman #MalwareAnalysis