June 04, 2026

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

20 minutes

In this lesson, you’ll learn about: Windows Registry structure and forensic analysis1. What is the Windows Registry?

A centralized configuration database in Windows
Stores system, user, and application settings

🔹 Core Idea

Think of it as the brain of Windows configuration

2. Registry StructureThe registry is organized in a strict hierarchy:🔹 Components

Hives
Keys
Subkeys
Values

🔹 Analogy

Hive → main database file
Key → folder
Value → actual data entry

3. Main Root Keys🔹 Key Windows Registry Roots

HKEY_LOCAL_MACHINE (HKLM)
HKEY_CURRENT_USER (HKCU)

🔹 What they represent

HKLM → system-wide settings
HKCU → settings for the logged-in user

4. Physical Storage of Registry Hives

Stored on disk in:

C:\Windows\System32\config 🔹 Why this matters

Investigators can extract registry data directly from disk
Even if Windows is not bootable

5. Core HKLM Sub-Hives🔹 SAM (Security Accounts Manager)

Stores:
- User accounts
- Password hashes

🔹 SECURITY Hive

Stores:
- Local security policy
- LSA secrets
- Authentication data

🔹 SOFTWARE Hive

Stores:
- Installed applications
- Configuration settings

🔹 SYSTEM Hive

Stores:
- Drivers
- Services
- Boot configuration

👉 Key Insight:

These hives are critical for system and user reconstruction

6. Modern Windows Registry Extensions🔹 Newer Hives

BCD (Boot Configuration Data)
- Controls boot process
ELAM (Early Launch Anti-Malware)
- Protects early boot stage
Browser-related application data hives

👉 Purpose:

Improve security and system initialization

7. Forensic Extraction Tools🔹 Common Tools

FTK Imager
- Used to extract registry hives from disk
Registry viewers (offline analysis tools)

🔹 Why FTK Imager matters

Bypasses OS restrictions
Works on live or dead systems

8. Registry Analysis Workflow🔹 Step-by-step process

Acquire disk image
Extract registry hives
Load into analysis tool
Examine keys and values

9. What Investigators Look For🔹 Key Evidence Types

User activity
Installed software
System boot history
Malware persistence mechanisms

Key Takeaways

The registry is a central configuration database for Windows
It is structured into hives, keys, and values
Critical hives include SAM, SECURITY, SOFTWARE, SYSTEM
Registry files are physically stored on disk
Tools like FTK Imager enable offline forensic extraction

Big PictureRegistry analysis helps you:👉 Move from system configuration → user and attacker behavior reconstructionMental Model

Registry = Windows “black box” of system activity

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

View all episodes

By CyberCode Academy

June 04, 2026

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

20 minutes

In this lesson, you’ll learn about: Windows Registry structure and forensic analysis1. What is the Windows Registry?

A centralized configuration database in Windows
Stores system, user, and application settings

🔹 Core Idea

Think of it as the brain of Windows configuration

2. Registry StructureThe registry is organized in a strict hierarchy:🔹 Components

Hives
Keys
Subkeys
Values

🔹 Analogy

Hive → main database file
Key → folder
Value → actual data entry

3. Main Root Keys🔹 Key Windows Registry Roots

HKEY_LOCAL_MACHINE (HKLM)
HKEY_CURRENT_USER (HKCU)

🔹 What they represent

HKLM → system-wide settings
HKCU → settings for the logged-in user

4. Physical Storage of Registry Hives

Stored on disk in:

C:\Windows\System32\config 🔹 Why this matters

Investigators can extract registry data directly from disk
Even if Windows is not bootable

5. Core HKLM Sub-Hives🔹 SAM (Security Accounts Manager)

Stores:
- User accounts
- Password hashes

🔹 SECURITY Hive

Stores:
- Local security policy
- LSA secrets
- Authentication data

🔹 SOFTWARE Hive

Stores:
- Installed applications
- Configuration settings

🔹 SYSTEM Hive

Stores:
- Drivers
- Services
- Boot configuration

👉 Key Insight:

These hives are critical for system and user reconstruction

6. Modern Windows Registry Extensions🔹 Newer Hives

BCD (Boot Configuration Data)
- Controls boot process
ELAM (Early Launch Anti-Malware)
- Protects early boot stage
Browser-related application data hives

👉 Purpose:

Improve security and system initialization

7. Forensic Extraction Tools🔹 Common Tools

FTK Imager
- Used to extract registry hives from disk
Registry viewers (offline analysis tools)

🔹 Why FTK Imager matters

Bypasses OS restrictions
Works on live or dead systems

8. Registry Analysis Workflow🔹 Step-by-step process

Acquire disk image
Extract registry hives
Load into analysis tool
Examine keys and values

9. What Investigators Look For🔹 Key Evidence Types

User activity
Installed software
System boot history
Malware persistence mechanisms

Key Takeaways

The registry is a central configuration database for Windows
It is structured into hives, keys, and values
Critical hives include SAM, SECURITY, SOFTWARE, SYSTEM
Registry files are physically stored on disk
Tools like FTK Imager enable offline forensic extraction

Big PictureRegistry analysis helps you:👉 Move from system configuration → user and attacker behavior reconstructionMental Model

Registry = Windows “black box” of system activity

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

Share Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

Sign up to save your podcasts

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis

Course 36 - Windows Forensics and Tools | Episode 6: From System Hives to Forensic Analysis