Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file as a whole. Contained within this header are the following: Offset Length Type What is it? x000 4 string Signature: “regf” x004 4 uint32 Sequence Number 1 x008 4 uint32 Sequence Number 2 […]

Registry File Specification

After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the clear winner when it comes to laying this information out in a clean, clear, easy to read format. Metz doesn’t have all of the answers, but unlike the other documents, this one is […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look in \Windows\System32\config and \Users\<profile>\NTUSER.DAT. The long answer is… well… longer.   First thing to understand is that the Registry is complicated beast. Once processed, loaded into memory, and THEN presented to the user, […]

Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. But, I want to go deeper. What makes the Registry actually tick.   After a bit of google-fu, I was only able to come up with a handful of pages that actually talk […]


There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) keys, they provide that little bit of history you get in the File menu of certain apps or in the drop-down box where you are specifying a name to open/save a file. Very […]

Collection Scripts

For many years now I’ve tried to do all my live collection on systems via command line scripts. The goal when I wrote the script (and still) is for this to be a fully-automated, single click execution. The reason being is that it allows me to hand the imaging task off to people that are technical […]

Useful Windows Commands

These are useful command lines that are all based on built-in Windows programs. They were tested on Windows 7, but most should be present on WinXP as well. Unlike the previous two blog posts, these are all about what is already present on the system. So, these are things you can do during live collection […]

Utilities by the Thousands

As I was putting together the list of command line tools to make Windows terminal more meaningful, I found myself wanting to list some GUI utilities because I love them so. In order to keep that post focused on the command line, I decided to move the GUI part of the list here. So, below […]

Command Line Happiness

There is no contesting that the command line in a Linux/Mac environment kicks Windows’s cmd.exe without even trying hard. There are entire blogs dedicated to how wonderful it is. But, most of the commercial forensics tools are Windows only, relegating many of us to that environment. My ideal setup is a Mac running Windows inside Fusion, […]


Plist files are found sprinkled throughout OS X and iOS and contain the various configuration settings and other information of use to the OS and applications.