This activity is designed for a Windows system.
Time: This activity should take you approximately 60 minutes to complete.
Download Registry Viewer and the User Guide from the AccessData website. Confirm the MD5 hash.
Registry Viewer download link MD5: 2e56a6fe531f386dbef2952a6852429dUser Guide download linkNOTE: Registry Viewer requires a dongle to access all of its program features. We will run Registry Viewer in Demonstration mode with limited program features.
Download and extract these Windows registry hive files:
SAMSYSTEMMark-NTUSER.DATRegistry Hives download link (.zip)
For your own practice, you can also use FTK imager to export the hive files from your own Windows system.
The Windows registry is a system-defined hierarchical database containing Windows hardware, user information and preferences, application, and network configuration information. Examining the Windows registry is one of the most important steps for Windows forensic analysis.
In this activity, you will practice using Registry Viewer to examine registry hive files and to extract and correlate information to obtain evidence.
You may want to review the videos Windows Registry Demo 1 and Windows Registry Demo 2 before beginning this activity.
1. Install Registry Viewer on your Windows system and launch it by clicking on the Registry Viewer icon.
Note: An ERROR message screen will appear since you do not have a license dongle. Click “No” to run Registry Viewer in the demo mode.2. To open the hive-file you would like to examine, click File > Open.
3. Registry Viewer also lets you quickly search keys, values, and dates that were last written to the registry file. To find certain registry data, you will select Edit > Find.
4. Examine the SAM, SYSTEM and Mark-NTUSER.DAT hives to answer the Check Your Work questions.
转载于:https://www.cnblogs.com/sec875/articles/10015707.html
