Belkasoft Evidence Center: Exploring Registry files

Belkasoft Evidence Center: Exploring Registry files


Today we will show you how to explore registry files. Create a new case, and analyze ‘Samples’ subfolder
of the product installation folder. Belkasoft Evidence Center found 4 registry files. In the Case Explorer you can see most forensically important keys extracted out of these files. Among these keys there are four Windows accounts with last log-on times and hashes. All network cards attached to the computer,
including virtual network cards, are visible. You can find any Wifi profiles which the suspect
has ever connected to, along with the times of latest connections. Information about connected USB devices, including
the time and date of their usage, is displayed. You can check if TCP/ IP configurations were ever changed. It is particulary important when your suspect was using anonymizers or
proxy servers. You can also find out the time zone, which can help when you don’t know where a hard drive or a phone came from. Finally, there is some information about Windows installation properties, such as computer name, event log location, and so on. Of course, it is just a fraction of what is
inside the registry. To examine complete registry contents, you can go to the Registry Viewer built into Evidence Center. Belkasoft Registry Viewer looks like Microsoft Registry Editor, but has an important advantage of ability to show you more data, including data from badly
damaged registries, carved registries, and recovered registries, which Microsoft Registry
Editor might have issues with. This is a huge benefit of using Belkasoft
Registry Viewer. By the way, Belkasoft Registry Viewer shows you not only files from a case, but also allows to open arbitrary files.

Daniel Ostrander

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *