{"id":55717,"date":"2022-08-23T09:22:10","date_gmt":"2022-08-23T01:22:10","guid":{"rendered":"https:\/\/version-2.com\/?p=55717"},"modified":"2022-09-29T17:41:17","modified_gmt":"2022-09-29T09:41:17","slug":"computer-forensics-windows-registry-pt-1","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/08\/computer-forensics-windows-registry-pt-1\/","title":{"rendered":"Computer Forensics – Windows Registry – Pt. 1"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

\"\"<\/p>\n\n

Intro<\/h3>

Computer Forensics is a sub-field of cybersecurity, that pertains to gathering evidence of usage of a computer. Generally, it would fall under the larger field of Digital Forensics, dealing with all kinds of digital devices, from examination and recovery to analysis of the data found within them.<\/p>

Digital forensics is used, and needed, widely, from the private sector \u2013 where you might want to analyze your organization internally, or if you, for example, are doing incident response\/analysis.<\/p>

In a legal sense, digital forensics can be used to support some hypotheses in a civil\/criminal case \u2013 or vice versa.<\/p>

There are even cases that went cold <\/em>for years before actually being solved through the techniques used in this field. One famous example is the BTK serial killer case that has gone cold for years, but the perpetrator met his downfall once he started taunting the authorities by sending letters to them.<\/p>

Eventually, the police managed to recover a deleted MS Word document from the drive, analyze the metadata of the document, pinpoint the killer, and finally arrest him!<\/p>

From the Wikipedia page, that can be found here<\/a>:<\/p>

Police found <\/em>metadata<\/em><\/a> embedded in a deleted <\/em>Microsoft Word<\/em><\/a> document that was, unknown to Rader, still stored on the floppy disk.<\/em>[54]<\/em><\/a> The metadata contained the words “Christ Lutheran Church”, and the document was marked as last modified by “Dennis”.<\/em>[55]<\/em><\/a> An Internet search determined that a “Dennis Rader” was president of the church council.<\/em>[52]<\/em><\/a> When investigators drove by Rader’s house, a black Jeep Cherokee\u2014the type of vehicle seen in the Home Depot surveillance footage\u2014was parked outside.<\/em>[56]<\/em><\/a> This was strong <\/em>circumstantial evidence<\/em><\/a> against Rader, but they needed more direct evidence to detain him.<\/em>[57]<\/em><\/a><\/p>

As you can see, computer forensics can be quite useful, and can provide us with a lot of insight on what has happened on\/to our computer systems. Connecting the dots further, it can even help us ascertain what someone might have done \u2013 as illustrated in the example above.<\/p>

Windows<\/h3>

This is de facto <\/em>the most used Desktop OS right now \u2013 75% of the market share<\/a>, to be precise. That\u2019s mostly why I intend to focus on Windows forensics but will talk about Linux forensics in the future as well.<\/p>

Why is the Windows Registry important from a forensic perspective?<\/em><\/h4>

The Registry in Windows is practically the Database for the OS itself. It contains all the configuration data for the system \u2013 and is organized in a hierarchical way.<\/p>

From MS docs<\/a>:<\/p>

The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and service that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values.<\/em><\/p>

This means that the registry holds information about the software, hardware, and even the user. This includes data about recently used programs or files as well as the devices that may have or are connected to the system. You probably can infer how this can be of great value to a forensic investigator.<\/p>

The registry on your Windows systems comprises of these five root keys:<\/p>

  1. HKEY_CURRENT_USER<\/li>
  2. HKEY_HKEY_USERS<\/li>
  3. HKEY_LOCAL_MACHINE<\/li>
  4. HKEY_CLASSES_ROOT<\/li>
  5. HKEY_CURRENT_CONFIG<\/li><\/ol>

     <\/strong><\/p>

    HKEY_CURRENT_USER<\/strong> \u2013 Contains the root of the configuration information for the user who is currently logged on. The user\u2019s folders, screen colors, Control Panel settings are stored here. This information is associated with the user\u2019s profile. This key is sometimes abbreviated as HKCU.<\/p>

    HKEY_USERS<\/strong> \u2013 Contains all the actively loaded user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. HKEY_USERS is sometimes abbreviated as HKU.<\/p>

    HKEY_LOCAL_MACHINE<\/strong> \u2013 Contains configuration information particular to the computer (for any user). This key is sometimes abbreviated as HKLM.<\/p>

    HKEY_CLASSES_ROOT<\/strong> \u2013 Is a subkey of HKEY_LOCAL_MACHINE\\Software. The information that is stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This key is sometimes abbreviated as HKCR. Starting with Windows 2000, this information is stored under both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys. The HKEY_LOCAL_MACHINE\\Software\\Classes<\/code> key contains default settings that can apply to all users on the local computer<\/strong>. The HKEY_CURRENT_USER\\Software\\Classes<\/code> key contains settings that override the default settings and apply only to the interactive user. The HKEY_CLASSES_ROOT key provides a view of the registry that merges the information from these two sources. HKEY_CLASSES_ROOT also provides this merged view for programs that are designed for earlier versions of Windows. To change the settings for the interactive user, changes must be made under <\/strong>HKEY_CURRENT_USER\\Software\\Classes<\/code> instead of under HKEY_CLASSES_ROOT. To change the default settings, changes must be made under <\/strong>HKEY_LOCAL_MACHINE\\Software\\Classes<\/code>. If you write keys to a key under HKEY_CLASSES_ROOT, the system stores the information under HKEY_LOCAL_MACHINE\\Software\\Classes<\/code>. If you write values to a key under HKEY_CLASSES_ROOT, and the key already exists under HKEY_CURRENT_USER\\Software\\Classes<\/code>, the system will store the information there instead of under HKEY_LOCAL_MACHINE\\Software\\Classes<\/code>.<\/p>

    HKEY_CURRENT_CONFIG<\/strong> \u2013 Contains information about the hardware profile that is used by the local computer at system startup.<\/p>

    These root keys<\/em>, combined with values <\/em>and subkeys<\/em>, are what make the Registry Hive<\/a>.<\/p>

    You can check this by opening regedit.exe to look around the registry \u2013 directories you see are the Registry Keys, and the values are whatever data is stored within \u2013 as mentioned above.<\/p>

    Access Hives Offline<\/h3>

    Please note that the above is true if you\u2019re accessing a live system \u2013 through the in-built utility regedit.exe. But, if you only have the disk image, you will go on about this in a slightly different way. First, you should now that the registry hive is located on the disk in the C:\\Windows\\System32\\Config directory<\/em><\/strong>.<\/p>

    Let me just digress here for a bit.<\/strong> Why is this important? Well, in an investigation you would typically clone the disk first \u2013 hence the disk image \u2013 and you would conduct your investigation on the clone. You don\u2019t want to mess up your potential evidence by working on the original. As mentioned here<\/a>, even though cloning is a straightforward process in theory, in practice it can be quite different.<\/p>

    The goal is simple \u2013 you want to clone one disk to another. The drive you want to clone is typically removed from the computer and connected to another computer or a cloning device. However, it is vital to have some sort of control over the writing process i.e. a hardware write block<\/a> which is placed between the cloned (source disk) and the destination disk (one we\u2019re cloning to). You need this, because you don\u2019t want to accidentally mess up your investigation by writing data to the cloned\/source disk.<\/p>

    You should also forensically clean the destination disk beforehand. Forensic imaging tools (FTK Imager, Autopsy, etc.) will usually create some sort of proof that the cleaning had happened. Finally, when all the preparations have been made successfully and the process starts, upon successfully cloning the disks you would have matching hashes for the source and the clone \u2013 i.e. your proof that you have an exact clone of the disk that\u2019s investigated.<\/p>

    I will mention the tools above, and others, in my future articles on this topic, but for now let me get back on track and talk about the locations of the aforementioned hives on the respective disk(s).<\/p>

    These hives are:<\/p>

    1. DEFAULT (mounted at \u2013 HKEY_USERS\\DEFAULT)<\/li>
    2. SAM (mounted at \u2013 HKEY_LOCAL_MACHINE\\SAM)<\/li>
    3. SECURITY (mounted at \u2013 HKEY_LOCAL_MACHINE\\Security)<\/li>
    4. SOFTWARE (mounted at \u2013 HKEY_LOCAL_MACHINE\\Software)<\/li>
    5. SYSTEM (mounted at \u2013 HKEY_LOCAL_MACHINE\\System)<\/li><\/ol>

      Aside from these hives, there are two more hives that keep information about the user and can be found in the User directory. The path is found at C:\\Users\\<username>  <\/strong>(this is true for Windows 7 and above versions of the Windows OS)<\/p>

      The two hives are these:<\/p>

      1. NTUSER.DAT (mounted at HKEY_CURRENT_USER after the user would log in)<\/li>
      2. USRCLASS.DAT (mounted at HKEY_CURRENT_USER\\Software\\CLASSES)<\/li><\/ol>

        NTUSER.DAT is found in the C:\\Users\\<username> and the USRCLASS.DAT is found in the C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Windows. Please note that both of these hives are hidden.<\/p>

        NTUSER.DAT<\/em><\/p>

          USRCLASS.DAT<\/em><\/p>

         <\/em><\/p>

        Finally, the Amcache hive, which is quite important in the Windows OS since it keeps information about programs that have been run recently. It is located at C:\\Windows\\AppCompat\\Programs\\Amcache.hve<\/em><\/strong><\/p>

        Amcache Hive<\/em><\/p>

         <\/em><\/p>

        Conclusion<\/h3>

        To conclude, I covered some basics about Computer\/Digital Forensics in general, as well as the Windows OS Registry Hive. This is exactly what threat actors exploit in numerous ways, and we will be looking at how to ascertain what they did to our devices in the next article. I will also talk about the mentioned forensic tools such as Autopsy, FTK Imager, and others. (Linux forensics will be covered too!)<\/p>

        Stay tuned.<\/p>

        Cover image by Immo Wegmann<\/a><\/p>

        #registry #forensics #windows<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

        \n\t\t\t\t
        \n\t\t\t\t\t\t\t
        \t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t\t
        \n\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t

        About Version 2 Digital<\/h3>

        Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n

        \nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\n\t\t

        \n\t\t\t\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t\t
        \n\t\t\t
        \n\t\t\t\t\t\t
        \n\t\t\t\t
        \n\t\t\t\t\t\t\t\t\t

        <\/p>\n

        About VRX<\/b>
        VRX <\/b>is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

        Intro Computer Forensics is a sub-field of cybersecurit […]<\/p>","protected":false},"author":143524195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[488,476,61],"tags":[489,477],"class_list":["post-55717","post","type-post","status-publish","format-standard","hentry","category-488","category-vrx","category-press-release","tag-489","tag-vrx"],"acf":[],"yoast_head":"\nComputer Forensics - Windows Registry - Pt. 1 - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Computer Forensics - Windows Registry - Pt. 1 - Version 2\" \/>\n<meta property=\"og:description\" content=\"Intro Computer Forensics is a sub-field of cybersecurit […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2022-08-23T01:22:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-29T09:41:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg\" \/>\n<meta name=\"author\" content=\"version2hk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"version2hk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/computer-forensics-windows-registry-pt-1\\\/\"},\"author\":{\"name\":\"version2hk\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\"},\"headline\":\"Computer Forensics – Windows Registry – Pt. 1\",\"datePublished\":\"2022-08-23T01:22:10+00:00\",\"dateModified\":\"2022-09-29T09:41:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/computer-forensics-windows-registry-pt-1\\\/\"},\"wordCount\":1507,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl70gcn463msk0nkwacgre1s6.jpg\",\"keywords\":[\"2022\",\"vRx\"],\"articleSection\":[\"2022\",\"vRx\",\"Press Release\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2022\\\/08\\\/computer-forensics-windows-registry-pt-1\\\/\",\"url\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1\",\"name\":\"Computer Forensics - Windows Registry - Pt. 1 - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl70gcn463msk0nkwacgre1s6.jpg\",\"datePublished\":\"2022-08-23T01:22:10+00:00\",\"dateModified\":\"2022-09-29T09:41:17+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#primaryimage\",\"url\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl70gcn463msk0nkwacgre1s6.jpg\",\"contentUrl\":\"https:\\\/\\\/ik.imagekit.io\\\/14sfaswy6hrz\\\/blog-posts\\\/images\\\/cl70gcn463msk0nkwacgre1s6.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.vicarius.io\\\/blog\\\/computer-forensics-windows-registry-pt-1#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Computer Forensics – Windows Registry – Pt. 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/d14d2d3cd77ffdb618b9f1330fe084db\",\"name\":\"version2hk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g\",\"caption\":\"version2hk\"},\"sameAs\":[\"http:\\\/\\\/version2xfortcom.wordpress.com\"],\"url\":\"https:\\\/\\\/version-2.com\\\/en\\\/author\\\/version2hk\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Computer Forensics - Windows Registry - Pt. 1 - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1","og_locale":"en_US","og_type":"article","og_title":"Computer Forensics - Windows Registry - Pt. 1 - Version 2","og_description":"Intro Computer Forensics is a sub-field of cybersecurit […]","og_url":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1","og_site_name":"Version 2","article_published_time":"2022-08-23T01:22:10+00:00","article_modified_time":"2022-09-29T09:41:17+00:00","og_image":[{"url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg","type":"","width":"","height":""}],"author":"version2hk","twitter_card":"summary_large_image","twitter_misc":{"Written by":"version2hk","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#article","isPartOf":{"@id":"https:\/\/version-2.com\/2022\/08\/computer-forensics-windows-registry-pt-1\/"},"author":{"name":"version2hk","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db"},"headline":"Computer Forensics – Windows Registry – Pt. 1","datePublished":"2022-08-23T01:22:10+00:00","dateModified":"2022-09-29T09:41:17+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2022\/08\/computer-forensics-windows-registry-pt-1\/"},"wordCount":1507,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg","keywords":["2022","vRx"],"articleSection":["2022","vRx","Press Release"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2022\/08\/computer-forensics-windows-registry-pt-1\/","url":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1","name":"Computer Forensics - Windows Registry - Pt. 1 - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#primaryimage"},"image":{"@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#primaryimage"},"thumbnailUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg","datePublished":"2022-08-23T01:22:10+00:00","dateModified":"2022-09-29T09:41:17+00:00","breadcrumb":{"@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#primaryimage","url":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg","contentUrl":"https:\/\/ik.imagekit.io\/14sfaswy6hrz\/blog-posts\/images\/cl70gcn463msk0nkwacgre1s6.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.vicarius.io\/blog\/computer-forensics-windows-registry-pt-1#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/zh\/"},{"@type":"ListItem","position":2,"name":"Computer Forensics – Windows Registry – Pt. 1"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/d14d2d3cd77ffdb618b9f1330fe084db","name":"version2hk","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d280627252b42d7489de74dd88aa04043a495f25e258575000dc767e287bf94c?s=96&d=identicon&r=g","caption":"version2hk"},"sameAs":["http:\/\/version2xfortcom.wordpress.com"],"url":"https:\/\/version-2.com\/en\/author\/version2hk\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-euF","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/55717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/users\/143524195"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/comments?post=55717"}],"version-history":[{"count":4,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/55717\/revisions"}],"predecessor-version":[{"id":55721,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/posts\/55717\/revisions\/55721"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/media?parent=55717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/categories?post=55717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/en\/wp-json\/wp\/v2\/tags?post=55717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}