In order to assist potential clients with a better understanding of some of the actions and terminologies involved in computer investigations and forensics, we have created this page helps explain some of the more common issues addressed. Most importantly, if followed in order, the reader will gain a very thorough understanding of how data is created, saved, and most importantly, what happens when it is deleted.

INTERNET PROTOCOL ADDRESS (IP)

The Internet Protocol (IP) Address is a unique address issued to a device by the Internet service provider for the period that the device is connected to the Internet. No two devices can have the same address at the same time. The IP address is comprised of four groups of numbers or octets, and each octet number can be from 0-255. An example is 255.255.255.255. This IP address is as unique as a home address. No two houses can have the same address. Here’s how the process works. When your device attempts to connect to the Internet, either manually by dial up, or automatically via cable or DSL, the device actually starts to communicate with your Internet service provider (ISP). This is the company you purchase your monthly access from, such as AOL, Earthlink, Comcast Cable and so on. In order to explain the process, I’ll use Comcast Cable Communications (CCC) as the ISP as an example. When you attempt to go online, your device will communicate with a computer at CCC known as a server. Your device will ask for an IP address so that it can access the Internet. CCC verifies your device’s right to have the access, and will then issue the IP address, thereby connecting you to the Internet. When you turn off your device, the IP address is relinquished. It is possible to get the same IP address on different occasions, but not very likely. In the case of ISPs that provide service via cable, such as CCC, it is possible to hold the same IP address indefinitely, depending on your type of account and connection. Each ISP either purchases or leases a range of IP addresses to issue to its customers based on rules and guidelines mandated by an organization called ICANN.

This IP address is attached to every email that is sent from a device. When an email is sent, it passes through a minimum of two, and more typically, at least four, computers. Each of these computers tags the email with the relevant IP address, allowing a qualified expert to trace the exact path of the email. In some cases, the expert can then employ Internet profiling techniques to more clearly identify the sender. When this profiling is ineffective in establishing more conclusive proof, a subpoena, warrant, or Anton Pillar Order can be issued to the ISP, compelling them to provide subscriber information for the device connected to the IP address at the specified date and time.

DATA

A computer uses machine language at the lowest level, which involves the zeros and ones. These are used to represent recognizable characters. Each zero and each one is known as a bit. In order to create a letter, number, or other recognizable character, eight bits are required. So, to create the letter A, the computer uses a combination of eight zeros and ones. Eight bits are equal to one byte. Therefore, it can be determined that a typed character viewed on the screen is eight bits or one byte. For example, the word ‘definition’ would be ten bytes in length. 1024 bytes are equal to one kilobyte. This is crucial to understanding how data occupies space, and even more important in understanding how data gets into a particular place on a computer, remains there even after deletion, or is erased from that location.

HARD DRIVE STRUCTURE

A hard drive cannot just be an unorganized open space containing bits and bytes. It must be structured in such a way that data can be found efficiently. To this end, a hard drive is divided up into small spaces that can then be referenced by the operating system to find data more easily and deliver it to the user. The smallest space created on a hard drive is called a sector, which is always 512 bytes in size. There can thus be 512 letters or other characters in one sector, but no more than that.

To give you an idea of how big this is, take a look at the following paragraph:

Here lived once upon a time a wicked prince whose heart and mind were set upon conquering all the countries of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage.

The above paragraph contains exactly 512 characters and therefore, is 512 bytes or one sector in size. In comparison, the average 80 GB hard drive contains approximately 156,280,257 sectors.

The next division that exists on a hard drive is known as a cluster, which is a collection of sectors.

A very common cluster size is four kilobytes, in which case, the cluster would contain eight sectors. The smaller the cluster is, or the fewer sectors it has, the more efficient the use of hard drive space. The larger the cluster is, or the more sectors it has, the easier it is to catalogue and retrieve data. A sector is almost like a filing cabinet drawer and a cluster the entire cabinet. Clusters are usually what are referred to when discussing hard drive space, and so for the remainder of this page, I will be referring to clusters.

Based on this explanation above, let’s examine the paragraph below.

Here lived once upon a time a wicked prince whose heart and mind were set upon conquering all the countries of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage; but also there the soldiers followed her, and when they found her, she served as new nourishment to their diabolical enjoyments; demons could not possibly have done worse things than these soldiers!

This paragraph contains 711 characters, or bytes. In the case of photographs, these take up much more space than text. A relatively small picture on the Internet could be anywhere from 5-40 KB in size.

SLACK SPACE

When Windows stores a file, it fills as many clusters as needed, but except in the rare instance of a perfect fit, a portion of the final storage cluster will be left unfilled with new data, as indicated by the blue. The space between the end of the file and the end of the cluster is known as slack space or file slack.

For example, let’s suppose your office uses 500-page notebooks to compose all their documents. It is your office policy that no two documents will share a notebook, so one document and one notebook. If your document is only ten pages long, you must dedicate an entire notebook to the task. Once the notebook is in use, you can add another 490 pages, until the notebook won’t hold another sheet. For the 501st page and anything beyond that, you have to use a second notebook. The difference between the last word of the document and the end of the notebook is referred to as the slack space. Smaller notebooks would have less slack, but you’d have to keep track of a lot more volumes.

It is important to understand that this slack space is considered by the computer to be used space, even though it may be empty. In some cases, although a hard drive is deemed to be full, it can actually have as much as 40% of empty space.

For the purposes of my explanations, I will refer to data in two ways. Resident data is that which currently exists on the hard drive in its normal form, while deleted data is that which is erased.

DATA DELETION

Deleted files and data refer to those items that a user has deleted by normal means, so they have been sent to the recycle bin on the user’s desktop. It also refers to any of the data that would then be emptied from the recycle bin. Most people assume that such data is gone forever. However, it is in fact relegated to a portion of the hard drive called unallocated space. This is the space on the hard drive that a user cannot see. If you have a 20 GB hard drive, but you have only stored 5 GB of data on it, the remaining 15 GB is called unallocated space.

MASTER FILE TABLE

When a file is deleted, it doesn’t actually disappear. As explained earlier, clusters hold specific files. Hard drives have millions of clusters, so the computer needs to be able to locate a specific one. It does this by using a master file table or MFT. This MFT is basically a table of contents that points to individual clusters. If a user creates the file in my example above, and calls it The Little Prince, it will be saved to a space covering one cluster. We will say for the sake of explanation that it saved the document to cluster number 3,000,000. An entry will now be made in the MFT, so that the next time I double click the icon to open the document, the computer will be told by the MFT where to go and find it. If I then delete the document or reformat the drive, it will still exist on cluster 3,000,000, but the entry in the MFT is what actually gets removed. Once the MFT has had the document reference removed, the computer no longer knows where to go and look for it. In addition, the computer is informed that it is perfectly acceptable to place a new document on cluster 3,000,000. However, until it actually does, the old data is still there. With our expertise and specialized software, we are able to access the unallocated space and find the document based on a variety of parameters. We can also use that same software and expertise to actually restore the formerly deleted file to useable status.

Let’s go one step further. Suppose I had deleted the file mentioned above, or reformatted the entire drive. At some point, I then created a new document as shown below.

Mary had a little lamb, its fleece was white as snow. Everywhere that Mary went, the lamb was sure to go.

When I saved it, through the normal allocation of space by the computer, it was saved to cluster 3,000,000. It is actually only 105 characters or bytes in size. However, based on the explanation outlined above, the entire cluster is set aside for the document. When this occurs, the first 105 bytes of the cluster have now been overwritten by the new data, but the rest of old data in the slack space is still present. Furthermore, because the cluster now houses a new document of 105 bytes, the remainder of the cluster will never be overwritten by anything else. This means that the old data will always be there to find, at least until the new document is deleted.

As you can see, my new document (in green) has covered up some of the old document that used to exist there. From the above picture, the cluster indicated now cannot be written to by anything else. I can still then recover the old information that exists in what is now the new slack space. Below is a depiction of how the document would look in my forensic program. This will make things easier to understand. The only data placed below is the data that exists on the one cluster.

Mary had a little lamb, its fleece was white as snow. Everywhere that Mary went, the lamb was sure to go.es of the world, and on frightening the people; he devastated their countries with fire and sword, and his soldiers trod down the crops in the fields and destroyed the peasants’ huts by fire, so that the flames licked the green leaves off the branches, and the fruit hung dried up on the singed black trees. Many a poor mother fled, her naked baby in her arms, behind the still smoking walls of her cottage.

As you can see, even though I deleted a document and wrote another document on top of it, I can still see most of the old document.

The Windows system is designed to be blind to all information in the slack space. Searching is accomplished using a forensically sound copy of the drive and specialized examination software.

File slack is, by its very nature, fragmented, and the information identifying file type is often the first data to be obscured.

The search for plain-text information is typically the most fruitful avenue in file slack examination and an exercise often measured in hours, days, or weeks of review.

DATA ALLOCATION

In most cases, when someone uses a computer, the data they create, generate, download, or merely view online, gets stored on the hard drive, sometimes in more than one place. For example, if you were to visit the webpage located at http://www.computerpi.com, you would be viewing my company’s home page. Even if you do nothing else, a record has been created on your computer that you visited this page. This record includes:

  • A copy of the page automatically downloaded to your hard drive
  • Each individual picture or image on that page separately downloaded to your hard drive
  • The URL, or page name, saved to a number of different locations on your hard drive
  • A reference to the page inside a file called index.dat
  • All dates and times of activity relative to the page or pages

All of this information is retrievable, if it has not yet been overwritten.

In the case of a document or file that you might create, for example, MyLetter.doc the original document is not only saved to your computer when you create it. Every time you open it, make changes to it, and save it, a newer copy is created, although the computer only references the latest version. It is extremely common to search for a document forensically through a text string and come up with a variety of versions of it. In addition, an entry is made in a number of different places, such as in a folder called Recent Documents, which shows the file was recently accessed.

RECOVERED FOLDERS

Recovered folders contain data that was recovered using a forensic data recovery program. In order for a file to be recovered by the program in the manner used in this case, it must not be overwritten at all by any other data.

FILE WIPING

Wiping files and data is different from deleting them. A wiping program attempts to remove any and all traces of a file from the computer in all the areas that it may exist. In my examples above, I indicated that saving new data to an old cluster overwrites only as much as it needs, leaving any old data still visible to the trained eye. A file-wiping program will go to that cluster and overwrite all the old data in order to destroy it. The program actually overwrites the file it is deleting with other data, such as zeros, or in many cases, whatever the user wants to overwrite it with. A wiping program can contain numerous configuration options, such as changing MetaData, altering or obfuscating folder and file names, and generating false names and amounts of files. There are certain places that a wiping program cannot access. For example, a file cannot be changed or deleted by an outside program if it is open. File-wiping programs can wipe a great deal, but they can’t do anything to any files that are currently in use, such as the registry files and other Windows operating system files that are opened when the computer is turned on. To further explain file wiping, the example below shows raw data from unallocated file space that has been undisturbed.

This is a chunk of deleted data that has been deleted normally, with no effort to actually wipe it:

ÿØÿà JFIF ÿÛ C #%$””!&+7/&)4)!” 0A149;>>>%.DIC;ÿÛC (“(;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;; ÿÀ e ÷ ” ÿÄ ÿĵ} !1A Qa”q 2?‘¡#B ±Á RÑð$3br‚ %&'() *456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…† ‡ˆŠ’“”•˜™š¢£ ¤¥¦§¨©ª²³´µ•¸¹ ºÂÃÄÅÆÇÈÉÊÒÓ ÔÕÖ×ØÙÚáâãäå æçèéêñòóôõö÷ øùúÿÄ ÿĵw!1AQaq “2? B‘¡ #3Rð brÑ $4á%ñ &'()*56789: CDEFGHIJSTUVWXYZcdefghijstuvwxyz‚ƒ„…†‡ˆ‰Š’“”•˜™š¢ £¤¥¦§¨©ª²³´µ•¸¹ ºÂÃÄÅÆÇÈÉÊÒÓÔ ÕÖ×ØÙÚâãäåæçèé êòóôõö÷øùúÿÚ ?öj(¢€(¢ €(¢€ÅñW‰m¼¤}hžye•`?Ó6v®ã$ôõ8j¸ÏŠ Eö©áÛ9lÞåôýB •‚%$ˆ»?;•ÍœqÀ?Jµ¤x› P?Åð‹kðÛAÖî ‹=ÞL«Ñk T† OÌ ~^ A«øÎ{OZ ë Ù<<ï} ‘ $ÂL±òØ0 ÈÈ99(ùŽ}‘ÿ„‡âä:ö™›?* ×HòMâŒÄò cµ[¡8È탚ÂñsÜjº£5ÅŸ‰ï Äz à“qn…Z0±€D?˜–cÎ p ÚõÚ̆úúçÄ7 ±Û “éÖ‘ –w$;ÎÛX*›UKw.

I know by looking at this, that it is the beginning of a picture that was deleted. If it had been wiped, the same space would look more like the following:

yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

In other words, a wipe utility works off the premise that you must overwrite every bit of information that was previously there in order to obliterate it. Wipe programs use patterns such as the above to ensure they cover everything. Patterns like this are visible.

METADATA

When files are created in Windows, a number of things occur behind the scenes that the average user is generally unaware of. One of these is the creation of what is known as metadata. This is data added to a file that can include information such as the author’s name, the program used, and most importantly for our purposes, the date and time stamps when a file was created, modified and accessed.

Created meta refers to the date and time that the file was created on a system.

Modified meta refers to the date and time that the file was modified in some way.

Accessed meta refers to the date and time that the file was opened.

HTML – HyperText Markup Language

HTML can best be describes as the programming language that creates web pages. It is programming that, when written, creates a set of sequential instructions that, when the computer reads them, displays a webpage on your screen. This does not happen all at once. The programming is read from top to bottom, and this can best be seen with a slow dial up Internet connection, when you can watch the page load from top to bottom. If the writer inserts some extra programming within the HTML, called Javascript, they can cause an automatic action to occur. If this opens up a new window containing an advertisement in it, this is what will happen once the HTML code is read up to the point when the Javascript starts.

POPUP

A popup is a page or window, usually small, that appears either when a link or linked item is clicked, or by automatic or other stimulus. In many cases, popups are Javascript codes, of which there are many different varieties.

You can have a popup that will load when you first visit a page, when you exit a page and ones that are timed to appear after a certain amount of time has elapsed once the page is loaded. As opposed to the most frequently seen popups, there are also popunders, which you don’t see until you close the pages. This is because they open behind all the pages, where they can also be creating other popups behind the scenes. A single HTML page can contain numerous popup codes, so when visiting one page, you can suddenly find a dozen popups on your screen, and even more when you exit the page. This doesn’t include any popup code that may be included in the new pages that have popped up.

Popups are really only HTML pages that are configured to open at a specific height and width, so the popups themselves can have a Javascript to create even more popups. That’s why you can find yourself visiting a site, and be utterly swamped with them. Those popups can also have exit popups, so that when you close them, another one appears, then another, then another, and so on, until your browser may even eventually crash due to the data volume.

JAVASCRIPT

Javascript is a programming language that causes automated functions to occur, usually as it is read through the loading of a web page. In the case of many web page pop ups, and especially in the cases of pornographic websites, as a page is loaded, it will start reading the code from top to bottom. When it reaches the Javascript part of the programming, a popup will appear. In many cases, there can also be Javascript programming embedded in the new page that pops up, which will activate yet another popup. As a result, entering one page can cause numerous other pages to load automatically. As I previously explained, everything displayed on your computer screen is subsequently downloaded to your computer, even without your intervention or a specific action. Continuous popups appearing one after another in rapid, automatic succession is called a popup attack.

FILE EXTENSION

In relation to computer files, a file extension is an addition to the file name in the form “.xxx”, where “xxx” represents a limited number of alphanumeric characters, depending on the program that created them. The file extension allows a file’s type or format to be described as part of its name. This allows users to quickly understand the type of file it is without having to open or try to use it. The file extension also helps an application program recognize whether a file is a type that it can work with.

.JPG EXTENSION

The .jpg file extension stands for Joint Photographic Experts Group and can be expressed in an extension as both .jpg and .jpg. This is a standardized image compression mechanism designed for compressing photographic images, often for use on the Internet. Jpg is “lossy,” meaning that the decompressed image is not quite the same quality as the original image. There are many viewing programs that will display .jpg images, including Internet Explorer, but usually you know that a .jpg file will be a picture of something.

.BMP EXTENSION

The .bmp file extension stands for BitMap, and was designed by Microsoft. This is a less effective way of displaying images on the Internet, because it doesn’t compress the images, thereby usually making them quite large. They will be used for small images online or are sometimes used to display thumbnails, but the .bmp file extension usually indicates a picture or created graphic image of some kind.

.GIF EXTENSION

The .gif file extension stands for Graphic Interchange Format and is a common format for image files, especially suitable for images containing large areas of the same colour. A .gif format file of simple images is often smaller than the same file stored in .jpg format, but .gif doesn’t store photographic images as effectively as .jpg. A .gif file will usually be a created graphic image of something and .gif images are widely used as the format of choice for Internet icons and buttons.

.DLL EXTENSION

Short for Dynamic Link Library, a .dll file contains executable functions or data that can be used by a Windows application. Typically, a dll provides one or more particular functions and a program accesses these by creating either a static or dynamic link to the dll. A static link remains constant during program execution, whereas a dynamic link is created by the program when needed. Dlls can also just contain data. For example, a .dll can contain all of the possible options for a drop down list in a program.

.LNK FILES

Link files are shortcut files and have the file extension .lnk. Link files refer to or point to a file. These target files can be applications, directories, documents, or data files. Clicking on a shortcut causes the target file to run. If it is an application, the application is launched. If it is a document, the registered application runs and opens the document. Certain actions by the user create link files without their knowledge. Specifically, when a user opens a document, a link file is created in the Recent folder, which appears in the root of the user folder named after the user’s logon name. The link files in this folder serve as a record of the documents opened by the user.

FILE HEADERS

A file header is a unit of information that precedes a data object, such as the contents of any particular file. With regards to resident files on the subject’s computer, a file header appears at the beginning of each file and has information about that particular file. The file header may contain the date the file was created, when it was last updated, and the file’s size. More importantly, it also dictates the file’s type or format. The first few characters of a file header show the computer where to start reading the file from, and how to view it, among other things. The file header can be accessed only by the operating system or by specialized programs such as forensic analysis software. Subsequently, for our purposes, a file footer can be used to describe that last few characters of a file. This will indicate to the computer that it has reached the end of the file it is reading. Much like a capital letter or a period tell you where the beginning and end of a sentence is, a file header and file footer indicate to the computer where the beginning and end of a particular file is located. The file header of a particular file is always the same. For example, in the case of a .jpg file, the first few characters of the file header look like this: ÿØÿà..jfif and the file header for an .xls file (Microsoft Excel Spreadsheet) looks like this: ÐÏ.ࡱ.á

In the case of a file footer, these don’t necessarily have to end with the same set of characters, although that is the norm. A .jpg file footer looks like this: ÿÙ.

COOKIES

A cookie is a piece of information sent by a web server in the form of a text file to a user’s browser. A web server is the computer that hosts a website, and responds to requests from a user’s browser, such as Internet Explorer. Cookies may include information such as login or registration identification, user preferences, online shopping cart information, or in most cases, merely the fact that the site was visited. The browser saves the information, and sends it back to the web server whenever the browser returns to the website. The web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses. Browsers may be configured to alert the user when a cookie is being sent, or to refuse to accept cookies. Some sites, however, cannot be accessed unless the browser accepts cookies. A user doesn’t need to specifically visit a page to collect a cookie from that website. For example, a user could visit www.magnets.com and if that page has a banner ad for a different website, the banner could place a cookie on your computer, even if you never clicked on the banner or visited the site that the banner points to. The maximum size for a cookie is 4 KB.

THUMBNAILS

A thumbnail is an image you frequently find on web pages. Usually photograph or picture archives will present a thumbnail version of their contents, since this allows the page to load more quickly, then when a user clicks on the small image, a larger version will appear. Sometimes these will be links to a new page containing the larger graphic and at other times will connect to the image directly. In some cases, the thumbnail can be very misleading, when it doesn’t take you to the picture you originally see. It can actually take you to an entirely different site and this is common practice on pornographic websites.

TOPLISTS

A toplist is a script-driven site with a long list of links to other websites. The links change their order every few minutes, based on which website is sending the most traffic or users to the site. The objective is to send enough traffic to the site to stay near the top of the list without being the person sending the most traffic. The sites listed closest to the top of the list will usually get the most traffic, as that is what the user sees first. Usually there will be a descriptive link or picture with two numbers next to it.

The last site the traffic came from may not have been what the user was looking for. It may have been a site full of blondes when the user was looking for a picture of what looked like their ex-girlfriend who was a brunette. The ‘better’ toplists offer the user all the different subject flavors, in order to make the best use of the new traffic they get. The idea of toplists is simple. If a website wants to succeed in any industry, it can’t do it alone. It needs to create a network of sites that takes advantage of other websites’ need to exchange links.

Toplists are notorious for the popup attacks they can initiate. It is not uncommon for a toplist to generate between ten and twenty additional web pages that will automatically open all at once on a user’s screen. A toplist can also contain in excess of thirty thumbnails. If that toplist generates a popup attack featuring ten pages on a user’s computer, and each page has thirty thumbnails, that’s 300 pictures which are automatically downloaded to the user’s computer, unknown to the user. Given that the user has no control over what pages appear in a popup attack, unsolicited pictures of all types can very easily come to reside on a computer hard drive.

In a vast majority of cases on the Internet, especially pornography, these images and links don’t actually lead to what they suggest they are linking a user to.

TGP

Tgp stands for thumbnail gallery post. These are used on websites to display a large amount of images within a limited amount of space and bandwidth. Tgps allow a website to place a large number of small images on a page that can be expanded in a popup window. This conserves physical space on a page, and reduces download time, since the user can browse the thumbnails before selecting the images to view at full size. In a vast majority of cases online, especially on pornographic sites, tgps lead to popup attacks. In many cases, these images and links also don’t actually lead to where they suggest, frequently connecting to and from toplists and are often seen as automatically generated popups.

WINDOWS REGISTRY

The best way to describe the Windows Registry is to compare a computer to a body. The human body has many functions, including moving parts, but what ensures that everything keeps working? Basically, the central nervous system is the driving force. The brain produces a thought and the instruction is carried out based on a default set of values that have been programmed, such as hunger, movement and so on. The nerves issue the instruction and if everything goes well, the task gets completed.

In a computer, the Windows Registry is the central nervous system. It controls everything, but is also very susceptible to injury, just like the body. The difference is that if you injure your body, you usually know about it right away. In the computer, if you damage the Windows Registry, you may not become aware of it for days, weeks or even months.

The Windows Registry is constantly issuing instructions to the computer, almost from the moment it is turned on. Ever wondered how those programs such as anti-virus open when you start up? The Windows Registry has told the computer to start them. When a user double clicks on an icon, how does the computer know which program to use to open the file? Once again, this task is performed by the Windows Registry. There’s virtually no part of a computer that is untouched by the Registry. In the case of many viruses, trojan programs, and worms, the Windows Registry is automatically altered to carry out the malicious instructions.

As an example of what a Windows Registry entry looks like, I will display the key or entry that controls which page is displayed when a user opens their browser, such as Internet Explorer. First, you navigate through a set of folders, much the same as in Windows Explorer. When you reach the folder that contains the Internet Explorer settings, a list of keys are displayed. The key that controls the default home page looks like this:

“Start Page”=http://www.xxxxxxxxxxx.com/ (where the xxxxxxxx is the name of the start page).