Computer Name

Having the computer name will show that the image you have in front of you is from the machine you were expecting. Obviously it’s not a 100% guarantee, but if it’s deifferent, then something is 100% wrong and needs to be checked before spending hours slaving over a forensic image.

The ComputerName is located at

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

This is true for all versions of Windows from XP to 8.1

Timezone

The Timezone information will be critically important for the timeline you will create around this case. Some timestamps are not displayed in UTC but instead in local time, knowing what the offset is can not only correct the time, but also help identify which tools do not use UTC for future reference.

The Timezone information is located at:

SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Control Set

Those of you with a keen eye would’ve noticed both of those keys contain ‘CurrentControlset’ which is only displayed on a live system. On an imaged system it is expected that ‘ControlSet00n) would be seen (where n is the number of the control set, usually 1 or 2). It is possible to have more than two control sets, so do not panic if there are several.

The Control set information is located at:

SYSTEM\Select

Under the ‘Current’ Field you will notice a Hex data value, the last digit will represent n value of the control set you need to be looking at