winreg - Paiet/FOR---Operating-System-Forensics GitHub Wiki

Database where system user name user data password hash ssid Security Identifier Hardware information HARDWARE DRIVERS drivers wifi information

operating system information COM Classes MRU mapped drive config security settings programs to launch service info

Reg Hives root hkeys type is +type + data in content hkey are named because the dev really liked bees

root contains file extensions for
hkey current user (alias for another hkey) default is for user info when it is made

if a user changes edge to open pdf files it will change for that user and is an alias for that user Has the SAM (Secure Account Manager) and only system users can access it Two user files Cusers > user > username > is regfile for user the second one is cuser > AppData > Microsoft > windows

Reg acts like a filesystem

FTK first options gives you sam and reg files the second gives you all reg files

ProcessEXP The system looks at things running in the ram Procmon all instances interacting with os are happening within the memory