registry Archives

Profiles

What’s in a name? That which we call a profile By any other name would still let us log in. I […]

nk

Named Key cells are the data structures within the Registry that hold the Keys and provide the parent/child data necessary to build […]

hbin

The contents of Registry files are saved in Hive Bins. The previously mentioned header to the Registry file is a 4k block with […]

regf

Every Registry file starts with a 4,096 byte header block. The first 512 bytes of that header tell us about the Registry file […]

Registry File Specification

After reviewing several other sources, notably from Morgan and Norris, I’ve decided that Joachim Metz’s Windows NT Registry File (REGF) format specification is the […]

Registry Overview

The first step to forensic analysis of the Registry is knowing where to find the files. The short answer is go look […]

Registry Internal Structure

Searching for information about the innards of the Registry returns a whole lot of pages talking about the hives, keys, and values. […]

MRU

There are a plethora of keys in the Registry dedicated to telling you where you’ve been. Known as MRU (Most Recently Used) […]

Registry

I’m not sure how I missed it when it came out in 2009, but Peter Norris has put together an absolutely fantastic […]