Question

a. Why would we say that Registry is a veritable gold mine of information for both the administrator and the forensic investigator

b. Which hives are inside the Registry? Which configurations/profiles are contained in these hives?

Answer 1

a.)

A Registry is the location, a database, which stores configuration settings for different resources like users, hadware devices and software settings related to various applications.

Since, all the main files related to the configurations and settings are stored in the Registry which is looked upon for examination by both the adminstrator and the forensic investigator. Thus, Registry is a veritable gold mine of information for both the administrator and the forensic investigator.

b.)

There are five root folders which are known as "hives" inside the registry:

i. HKEY_CLASSES_ROOT :

This Hive contains the information related to the configuration settings of applications that are needed to open other files on the system.

ii. HKEY_CURRENT_USER :

As the name of the Hive suggests, it stores the details about the current user's profile.

Current user is the one who is logged on to the system.

iii. HKEY_LOCAL_MACHINE :

This Hive contains information related to the configuration settings of the local machine ( which is your system ). It contains details about both the hardware and software settings.

iv. HKEY_USERS :

This Hive contains all the details about active user profiles of your system.

One system can have many user's logged into it. So, this Hive contains profiles of all these users.

v. HKEY_CURRENT_CONFIG :

This Hive contains configuration details which are needed for the system during it's start