Book of the Month – Windows Registry Forensics

Every one on Windows knows how important is the role of Registry and keys that it holds to many answers when it comes to forensic analysis. Yet this mysterious part of Windows Registry has not been fully exposed publicly and new comer is often left with few nitty gritty details here and there.


Here is the finest attempt to expose those intrinsic details of registry by Harlan through his invaluable book – “Windows Registry Forensics”.



Here is the core information about the book,

  • Title: Windows Registry Forensics
  • Author:Harlan A. Carvey
  • Publisher: Syngress
  • Pages: 248
  • Release Date: Feb 7, 2011
  • Rating(Amazon):


Here is the table of contents

Chapter 1. Registry Analysis
What Is “Registry Analysis”?
What Is the Window Registry?
Registry Structure

Chapter 2. Tools
Live Analysis
Forensic Analysis

Chapter 3. Case Studies: The System
Security and SAM Hives
System Hive
Software Hive
BCD Hive

Chapter 4. Case Studies: Tracking User Activity
Tracking User Activity


First chapter is more useful for beginners showing what registry is, crucial information held by it, hive files associated with registry, how to view the contents using various tools etc. It also explains internal technical details of registry hive file structure in very simplified manner.

Next chapter is all about registry tools, starting with regedit, autoruns author showcases very useful & advanced tools such as RegRipper, RegSlack, MiTeC Registry File Viewer covering their strengths and limitations. One of the limitation imposed by some of the built-in tools is that they don’t show up Last written time which is very important when it comes to forensic analysis to build the time line of events. So author shows how to write simple Perl script to get around it along with other tools to achieve the same.


I found third chapter more interesting, here author starts with dissecting SECURITY & SAM hive files recovering user account information and then covering cracking of user password using tools like cain & abel, ophcrack and pwdump. It also covers SYSTEM hive file recovering information on installed/deleted services. Also on discovering USB and other portable devices attached to the system. It talks about some of the interesting registry keys related to browser helper objects, auto start locations, network interfaces, PendingFileRenameOperations, PersistentRoutes etc explaining how malwares or trojans make use of them.


Final chapter is dedicated to tracking user activities by analyzing various registry key locations MRU registry entries, Search terms, connected devices, startup entries (RUN, RUNOnce etc).Throughout chapter 3 & 4 author mentions about real assignments explaining how he has used specific registry information to get the job done.


It would have been better if author would have put up the approach or step by step procedure one should follow while analysing live & offline system. Author has mentioned some of these things in brief and ad-hoc manner. Putting things straight and then discussing relevant tools at each step will be more beneficial.

Overall the book is well written, easy to read and filled with the technical examples & pictorial illustrations. However if you are expecting to cover all those important registry locations then you will be disappointed and it is not feasible in one book. Each chapter ends with FAQ and references to tools and other research work that can help you to build further.


In nutshell, this is the must have book for any Windows Forensic Analyst !!!

eBook Link:

Similar posts
  • Computer Security Tips: Stay Safe Onl... In recent times cyber security has raised the level of awareness and public consciousness as never before. Both large corporations and big organizations try to take care of online security as much as they can. That’s why cyber criminals and hackers have focused more on smaller companies and single entrepreneurs. This awful tendency leads to [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on Introduction to Android This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.   In this session, Swapnil gave quick introduction to Android explaining technical details as well as various security [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on Malware Memory Forensics. This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.   In this extended session, Monnappa explained extracting malware forensics artifacts from memory using Volatility – advanced memory [...]
  • Mentorship Programme Application Form... Today as we celebrate 6 years in our ‘Knowledge Sharing’ work, we are launching second edition of our Student Mentorship Programme. Application Form for session 2013-2014 is online now. To apply to this Mentorship Programme, aspiring students have to fill Mentorship Programme Application form. Please download the form from our Student Mentorship Page here Application [...]
  • Celebrating 6 years With a tick of clock another year has gone by and SecurityXploded today completes 6 years of successful ‘Knowledge Sharing’ work. Founded 6 years ago with a mission to share darkest secrets of windows world through our free tools and articles, today it has gone beyond what we have envisioned in our wildest dreams. Here [...]

Leave a Reply

Our Company

Follow us on Facebook

Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list