Registry forensics by investigation: artifact playbooks
2 min read
Most registry forensics writing is organized by artifact: here is UserAssist, here is Shimcache, here is what each field means. That is how you learn the registry. It is not how you work a case. In a real investigation you start from a question — did data leave on a USB drive, how did this box get persistence, which accounts were used — and the skill is knowing which handful of artifacts answer that question, in what order, and how they corroborate each other.
These playbooks are organized that way: by the case, not the key. Each one names the registry artifacts that matter for a given investigation, says in one line what each contributes, gives a working order, and flags the gotchas. They lean on the per-artifact deep-dives for detail rather than repeating it. You can work any of them against your own hives in the browser-based parser — load the relevant hives, run every plugin, and the timeline merges the timestamped results into one view.
The playbooks
- Ransomware investigation — how it entered, executed, persisted, and disabled defenses, across SYSTEM, SOFTWARE and NTUSER.
- Insider data theft — what a user accessed, copied, and took, with per-user attribution.
- USB exfiltration timeline — chaining device serial → volume → drive letter → user → folders browsed.
- Lateral movement — which remote hosts a machine reached, with which tools, over which networks.
- Malware persistence triage — a prioritized sweep of the registry autostart surface.
- Account compromise — which accounts exist, which were used, and whether autologon or rogue accounts were set up.
The common ground
Every playbook rests on a few invariants. Establish the time zone first — every local timestamp is meaningless without it. Grab the transaction logs with the hives, or you may be reading stale state. Resolve the current control set before trusting any CurrentControlSet path. And remember the registry tells you about access, configuration and execution — not file contents; the strongest cases corroborate it with file-system, event-log, and other artifacts.
For the attacker's-eye view of the same keys, see the MITRE ATT&CK detection map; for a quick lookup of where everything lives, the registry forensics cheat sheet; and for the methodology behind the order, the triage methodology.