It is a binary, hierarchical database and some of its contents include configuration settings and data for the OS and for the different applications relying on it. The registry holds configurations for Windows and is a substitute for the. The Windows registry is an invaluable source of forensic artifacts for all examiners and analysts. Registry What is the Windows registry and what is its structure? In the first part of this series we are going to discuss the Windows registry, its structure, backups and supporting files, examples from case files which reveal how instrumental the registry might be in prosecuting suspects, and some open source tools. In this paper, we will only be able to have a glimpse of this wealth of artifacts but its forensic significance will be immediately unveiled to us. Before we start, we have to mention that collecting evidence is not the sole challenge to examiners the challenge is to locate and identify, collect, preserve, and interpret the information whereas collecting it is only one piece of the puzzle.
