SOFTWARE Registry Hive

windowsSystem ConfigurationDisk Image

Location

C:\Windows\System32\config\SOFTWARE

Description

Machine-wide SOFTWARE hive recording installed applications, OS version, network profiles, Windows Defender exclusions, and Group Policy settings.

Forensic Value

Installed application entries with timestamps reveal attacker tool installation. Windows Defender exclusion paths (Policies\Microsoft\Windows Defender\Exclusions) show folders adversaries whitelisted to avoid detection. NetworkList\Profiles records every Wi-Fi and LAN network the host connected to with first/last connection times.

Tools Required

KAPERegRipperRegistry Explorer (Eric Zimmerman)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical