Question

Digital Forensics

In detail, explain the Window’s registry. Describe its structure, its purpose, and how forensic examiners can use it in a case. In addition, describe what metadata is and how it relates to digital forensics.

Answer 1

Windows system is working on registry without registry entry windows will not find the proper path of some installed application in short we can say registry is a index register like attendance register in our class where each entry tells student name and its seating location and absent present status, same way windows registry tells windows the status of startup services and its physical path of each execution services.

likewise you can see in the screenshot there are basically 5 categories , it is divided since win95 till its same structure remain in the win 10 also

HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG

each has detailed sub-key in which system hardware configuration its driver status its version and many more information are stored even users are restricted using registry editor if only single bit 0 to 1 will be change then system tool may be blocked using users so its powerful tool for system management.

In digital forensic if you run registry editor monitor tool you will get to know that there are each process which keep registry setting open and close millions of time in background process so from that we can find the user activity that what he/she has opened .

if you have any doubt then please ask me without any hesitation in the comment section below , if you like my answer then please thumbs up for the answer , before giving thumbs down please discuss the question it may possible that we may understand the question different way and we can edit and change the answers if you argue, thanks :)