Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Windows Registry forensics examines hive files like NTUSER.DAT and SYSTEM to recover evidence of user activity, program execution, and device history.
Windows Registry Forensics Definition: Windows Registry forensics examines hive files like NTUSER.DAT and SYSTEM to recover evidence of user activity, program execution, and device history.
Windows Registry forensics is the examination of the Windows Registry to recover evidence about system configuration, user activity, and program execution during an investigation. The Registry stores data in hive files such as SYSTEM, SOFTWARE, SAM, SECURITY, and per-user NTUSER.DAT, which can reveal recently opened files, USB device history, autostart entries, and timestamps of user actions. Forensic tools parse these hives to reconstruct attacker behavior and establish what occurred on a host.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →