Windows Forensics and Incident Recovery

Hiding Data in the Registry

The Registry is yet another location for hiding data within a live file system. The data stored in the Registry consists of several formats, including strings and binary data. Many types of data can be hidden within the Registry, such as text information, passwords, URLs, and binary information. Binary information can include segments of programs or even entire programs. Small programs can be hidden as a binary data type in a Registry key, or a larger program can be segmented, and those segments can be placed in separate keys.

Another place to hide data in the Registry is in the time zone information^[22]. Time zone information is maintained in the following key:

^[22] See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/gettimezoneinformation.asp ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Forensics and Incident Recovery by Harlan Carvey

Hiding Data in the Registry

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly