Knowledgebase:
How to View Parsed Registry Data (Data Triage)
Posted by , Last modified by on 20 June 2019 08:50 AM

Electronic Evidence Examiner allows you to view information from standard Windows registry hive files. The Parsed Registry data includes information on the state of the Windows registry at the moment the disk image was created or when the physical/logical disk was added.

 The Parsed Registry Data contains links to registry files:

  1. System, Software, Default, Ntuser.dat, Amcache and SAM registry hives data that can be found in:
    • %SystemRoot%\System32\Config\
    • %SystemRoot%\appcompat\Programs\
    • %USERPROFILE%\
  2. Exported HKEY_LOCAL_MACHINE\System, HKEY_LOCAL_MACHINE\Software hives, etc., that contain the corresponding information.

To view the parsed registry data:

  1. Add a logical/physical driveor logical/physical drive image to the case.
  2. In the Case Content pane, select the Data Triage node and select the Parsed RegistryData
  3. The Parsed RegistryData structure:
  • Parsed RegistryData node
    • <name of the Windows OS>
      • Auto-run: Information about autorun programs.
      • OS Info: Information about the operating system including the name, version, product ID, etc.
      • Explorer: Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks.
      • Programs: A list of installed programs.
      • Services: A list of Windows services. Each subkey represents a service and contains the service information, such as the startup configuration and executable image path, locations of the dump file, temp folders, etc.
      • Known DLLs: The location of DLLs loaded by Windows into applications that reference them.
      • Network Connections: Information about the network, wireless, and remote desktop connections.
      • Winlogon: Information about user authorization and Windows activation checks.
      • Devices: Information about a list of mounted devices, HDD and USB storage devices, including external memory cards, etc.
      • Amcache: Information contained in the Amcache registry hive.
      • SAM: Information contained in the SAM registry hive.
      • Email Address Location: Possible email address locations.
      • Users Info: Information about the existing Windows users. The following information is provided about each user:
        • <name of the user>
          • OpenSaveMRU, OpenSavePidlMRU, LastVisitedMRU, and LastVisitedPidlMRU: Lists of files recently opened or saved via typical Windows Explorer-style common dialog boxes (e.g., Open dialog box and Save dialog box).
          • RecentDocs: A list of files recently executed or opened through Windows Explorer.
          • RunMRU: A list of entries (e.g., full file path or commands like cmd, regedit, compmgmt.msc) executed using the Start>Run commands.
          • ACMru: Recent search terms using Windows default search.
          • TypedURLs: A list of 25 recent URLs (or file paths) that were typed in the Internet Explorer(IE) or Windows Explorer address bar.
          • Run: List of programs set to Autorun for the user.
          • WordWheelQuery: A list of recent searches performed via Windows Explorer.
          • StreamMRU: Information about the size and location of recently closed windows.
          • FTP: A list of the local FTP accounts.
          • Internet Explorer: Information about the user’s Internet Explorer data (e.g., the default download directory of Internet Explorer).
          • Office: Information about the user’s Microsoft Office data.
          • Printers: Information about the recent default printers.
          • EFS: Information about the Windows Encrypting File System data.
          • FileExts: A list of the associated programs with file extensions.
          • Last Logged on User: Information about the last user who logged on the system.
(0 vote(s))
Helpful
Not helpful

Comments (0)