We're going to cover the live registry. We're going to view the live registry and go through the hive keys using RegEdit. We are going to compare our environment to examine the non-life registry using specialized tools. We are going to interpret two registry values that are crucial to all forensic investigations. This interpreting will also give us a good foothold in interpreting values as we go along. Section 1, we are going to cover the Live Windows Registry. We're going to view the live registry using registry editor on our local machine. First thing you want to do is go down to taskbar, click your "Start button", and we're going to type in RegEdit. Once we type in RegEdit, we're going to right-click and we're going to run the program as an administrator. Here we see the H key, the hive keys we talked about. We're going to go through these hive keys. HKEY_CLASSES_ROOT. This key is populated when the system boots up and it's populated with the contents of H key local machine software classes key. So it is the software classes key. You [inaudible] idea what's under there? These are all the things that we're going to look at in software classes. When we cover the software hive, we will cover the classes key in depth. But for right now, I just want to show you where it is. H key current user is going to contain the information for the currently logged on user. It's pulling this information when the computer boots and it's pulling it from that particular users, that specific users and to NTUSER.DAT file. H key Local machine. H key Local machine is telling us about the settings for the machine. Underneath here, we can see that we have a lot of the keys that we talked about in our dead box. We have our SAM, security, software, and system. This top key up here, this BCD00000000, this is the local machine boot configuration information. This is our boot configuration file right here. As of yet, we really have not found any forensic value. But just so you know what that is when you see it, that's your boot configuration. We also have the hardware key. Now the hardware key is one of those keys like we talked about that only exists on a live running machine. What the hardware sub key contains is its devices hardware attached to the system, such as the CPU, the keyboard, the mouse, your hard drives, your speakers, whatever hardware you have attached to that particular computer. H key users is information regarding all the users on the system. You can see this information under here. Throughout this class, we're going to go through this in depth and learn how we interpret all that. But for now, I just want to show you where it is. H key current config. This key is a shortcut key. This key doesn't store any information but it acts as a pointer to the H key local machine system, current control set, hardware profiles, current. This key really just exists for convenience because since these two keys contain the same information and are always connected to each other, you can make changes in either location and get the same results. Let's take a quick look. We'll expand this key, then we're going to follow that path that I talked about before which is going to start with H key local machine system. Now, see we have more than one control set here and we'll get back to that in a minute. But we're going to choose current control set, hardware profiles, and then we're going to expand current. We can see we have a software in the system and we can see down here H key current config, we have the same folders. If we expand these folders further, we can see we have the same information in them. We can even expand it further and see you have the exact same information in there. That is just a shortcut key for convenience. Getting back to control sets for just a moment. You can see that I have three listed here. We have Control set 1, Control set 2 and Current control set. On a dead box, you're not going to see current control set, that key won't be here. You're going to have to determine the control set manually, and you do that by using the select key. When you click on the "Select Key", you're going to see some values here. You're going to see current. This refers to the current control set, and we can see when we look at the data, it is one. So control set 1 would be our current control set, and it is also the default. But when we look at LastKnownGood, we see a value of two referring to Control Set 2, that would be our last known good. What that means is if for some reason there was a problem with the system and there was something bad with Control Set 1 or the default Control Set, it would fall back to Control Set 2 for recoverability and redundancy purposes. So that is why that is there. One more time, let's go ahead and take a look, Classes Root we talked about. Current user is pulling from the end-user. H key Local machine is pulling from all of the hives here, our four races are SAM, security, software, and system. It's also pulling the boot configuration, and it's pulling that hardware key. The hardware key only exists in RAM, H key current user only exists in RAM. H key current config, you won't see this key but the information you will be able to find in the system file. The same with classes root. Classes root information is being pulled under the software hive H key software classes, and we can see the same information that is in classes root. So the two keys that are completely volatile that do not get written to disk are current user and hardware. In the next section, we are going to prepare our environment. We're going to download some specialized tools so that we can view our non-life Registry files.
