digital forensics:

25. Windows registry contains a treasure trove of information that may be of interest in a forensics investigation. When you perform a forensics investigation on a disk image you should look at the registry files SAM, SECURITY ete. and the NTUser.DAT files for each user. Which of the following places should you also check for registry information? Hint - answering this question will require additional research. Note that %SystemRoot% is a Windows variable that holds the path to the directory that holds the Windows system files. This is typically C : Windows. \%SystemDrive\% is an environment variable that holds the drive letter specifying which drive holds the Windows system files. This is typically C : A. \%SystemRoot\%\Repair - this holds backup copies of registry files ereated anytime the system is updated. B. * \%SystemRoot\%ISystem32lconfiglRegBack (or \%SystemRoot\%IRepair for XP and older) - this holds registry data created when Windows (prior to version 1803 of Windows 10) runs a scheduled registry backup. C. \%SystemRoot\%\RegBack (or \%SystemRoot\%|Repair for XP and older) - this holds regisiry data created when Windows (prior to version 1803 of Windows 10) runs a scheduled registry backup. D. \%SystemDrive\% SNTRestore - this holds copies of registry files created by the Windows System Restore utility. E. \%SystemDrive\% SNTSysRestore - this holds copies of registry files created by the Windows System Restore utility. F. *SystemDrive\% System Volume Information - this holds copies of registry files created by the Windows System Restore utility