Skip to content

12.Registry Hives Extraction FTK

🧭 General Introduction

After learning about the concepts of Preservation and Acquisition, it's now time to start working hands-on with one of the most important components of Windows operating systems: the Registry.

The Registry is a database that stores system, user, and application settings.

🧩 What is the Registry?

The Registry is a central database that contains critical information related to:

  • System Configuration

  • Users

  • Applications

  • Hardware

This data is stored inside files known as Hives.

πŸ“Œ Historical Note:

Before the release of Windows 95, system settings were stored in .ini files.\ From Windows 95 onwards, Microsoft adopted the Registry to store system data in a more organized and secure way.

πŸ›οΈ Main Types of Registry Hives

When you open the Registry Editor by typing regedit in the Start menu, you'll see five main Hives:

Hive Description
HKEY_CLASSES_ROOT Information about file extensions and their program associations.
HKEY_CURRENT_USER Settings for the current user only (e.g., desktop, themes…).
HKEY_LOCAL_MACHINE System settings, installed software, and hardware configurations.
HKEY_USERS Info about all users who have previously logged in.
HKEY_CURRENT_CONFIG Information about currently used hardware.

The most commonly used Hives are: HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_USERS

πŸ“Œ HKEY_CURRENT_USER is linked to the file NTUSER.DAT

πŸ’Ύ Where Registry Hive Files Are Stored in the System

The Hives are actual files stored in fixed locations on the system, such as:

  • C:\Users\[Username]\NTUSER.DAT\ ↳ represents HKEY_CURRENT_USER

  • Files like: SAM, SECURITY, SOFTWARE, SYSTEM\ ↳ located in:
C:\Windows\System32\Config\

Each file represents a different Hive and must be collected along with its associated .LOG1 and .LOG2 files.

⚠️ Issue with Manually Copying Registry Files

When trying to manually copy registry files while the system is running (like NTUSER.DAT), several issues occur:

  • Files are protected by the system.

  • They are constantly updated using Transaction Logs (temporary files that later merge into the original).

πŸ“Œ So: direct copy = ❌ Dirty Hive = Incomplete file

πŸ› οΈ Extracting Registry Hives Using FTK Imager

πŸ”Έ Method 1: Live Acquisition from the System

  1. Open FTK Imager

  2. Choose Add Evidence Item or Add All Attached Devices

  1. Select Physical Drive β†’ Choose the OS drive

  2. FTK shows all files, even protected ones

  3. Navigate to:

  4. C:\Users\[User] to extract NTUSER.DAT and LOG1/LOG2 files

  5. C:\Windows\System32\Config to extract the remaining Hives

πŸ“Œ Orphan files: have no reference in the file system\ πŸ“ŒUnallocated space: free disk space that might contain remnants of deleted files

If you copy NTUSER.DAT without the LOG files, you'll get a Dirty Hive.

To extract all Hives:

  • You can extract them one by one from the path: \Windows\System32\Config\

  • Or use the Obtain Protected Files feature

πŸ”Έ Method 2: Extracting Hives from an Image File

If you have a forensic image (like .E01, .dd):

  1. Open FTK Imager

  2. Choose Add Evidence Item

  3. Select Image File

  4. Load the disk image

  5. Browse the same paths and extract the required files:

  6. C:\Users\[Username] β†’ NTUSER.DAT

  7. C:\Windows\System32\Config\ β†’ SAM, SYSTEM, SOFTWARE, SECURITY, DEFAULT

🧲 Hive File Types You Should Extract:
File Name Represents Which Hive?
NTUSER.DAT HKEY_CURRENT_USER
SAM User account information
SYSTEM System configuration
SOFTWARE Installed software
SECURITY Security settings
DEFAULT Default User settings

🧾 Importance of Transaction Logs

  • While the system is running, changes aren't written directly to the Hive files.

  • They are temporarily stored in .LOG1 and .LOG2 files to protect the main files from corruption.

  • They are later automatically merged.

Therefore, ignoring these files = Incomplete files = ❌ Dirty Hive

Obtain Protected Files

βœ… Best Way to Fully Extract Hives via FTK Imager

Instead of manually extracting files:

  • Use the βœ… Obtain Protected Files option

  • Extracts all protected files at once

  • Automatically includes Transaction Log files

  • You’ll need to specify where to save the extraction:

  1. Since we want everything that happened on Windows:

  1. You’ll find it extracted: SOFTWARE, SYSTEM, SAM, DEFAULT, SECURITY

All of them are located under Local Machine

Since we selected "everything", it also gathers all users, including NTUSER and UsrClass

Extracting Hives from an Image File

If you have a .E01 or .dd image:

Add Evidence Item β†’ Image File

  • Add it to FTK Imager as an Image File

  • Browse it like a real drive

  • Extract Registry files the same way

Browse the same paths:

  • C:\Users\[User] β†’ NTUSER.DAT

  • C:\Windows\System32\Config\ β†’ remaining Hives

⛏️ Very useful for analyzing a system without booting it.

🧠 Analytical Notes

  • Registry files = a mini-database for every part of the system or user.

  • Transaction Logs = intermediary files to protect data.

  • FTK Imager can display protected files not visible in Windows.

  • After extraction, we use tools like:

  • Registry Explorer

  • RECmd

  • Regripper

🧾 Summary

Section Content
Registry Definition A database storing system and user settings
Main Hives CLASSES_ROOT, CURRENT_USER, LOCAL_MACHINE, USERS, CURRENT_CONFIG
Storage Locations C:\Users\[User]\NTUSER.DAT and C:\Windows\System32\Config
Extraction Method Using FTK Imager – from live system or forensic image
Important Notes Cannot manually copy Hives while system is running – specialized tools are needed for completeness