I am not an expert. I have never claimed to be an expert at anything (at least not seriously done so), least of all an expert in forensic analysis. I am not an expert in Windows Registry analysis. I am simply, by profession, a responder and analyst with some work and research experience in this area. I have also performed a number of analysis engagements, in which information found as part of Registry analysis has played a rather significant role. In one such engagement, Registry analysis allowed me to provide a compelling argument to demonstrate that files known to contain credit card data had been neither found nor accessed by an intruder, thereby reducing the subsequent costs (with respect to notification and fines) to the customer. I have assisted with providing information to demonstrate that certain user accounts had been used to access certain files. More importantly, I have worked through the process of sharing what I have seen with others, by writing this book and sharing what I’ve observed from a practitioner’s perspective. I am not an expert.

When I sat down to write this book, I did so because even in the year 2010, I am amazed at the number of analysts with whom I speak that have no apparent idea of the forensic value of the Windows Registry. Sometimes, when I talk to someone about demonstrating that a user account was used to view files, I get a blank stare. Or after talking about tracking USB devices across systems and no one asks any questions, I get approached by a dozen of the folks from the presentation, between the podium and my exit. It seems that, in many instances, the “abandon hope, all ye who enter here” warning that Microsoft displays on its knowledge base articles regarding the Registry really do a good job . . . of keeping the good guys out, as well as from “digging” or investigating. Sadly, there’s nothing in that admonition that states, “oh, yeah . . . the bad guys are all up in yer Registry!” As a result, many analysts are consistently behind the power curve, learning from the bad guys the new uses for the Registry (persistence, data and executable storage, and so on), often months after they have been established and used.