Knowing the name of a computer that you are examining can be important for many reasons. In a situation where you may need to examine a computer that was removed from a network, it will help you verify that it is indeed the computer in question. Having the Computer Name is also used to correlate information found in Event Logs.
Also, for Law Enforcement you may have a situation where there is a high rate of laptop thefts in a particular area. Let us say a suspect is apprehended for a crime while in possession of a laptop in that area. He/she may claim that the laptop is theirs. Well, if they offer consent or you are granted a search warrant to examine the laptop, this could help build your case against the suspect. Is this the be all, end all to determine guilt? No, but you can use this information to possibly help challenge their alibi and poke holes in their story if the Computer Name is completely off.
First things first though. Using your favorite Registry Viewer determine the CurrentControlSet for the Windows machine you are examining. You can follow the instructions for doing that HERE. Once you have done that, proceed to SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName. You will see the following:
AccessData’s Registry Viewer:
Thanks to some help from Harlan Carvey (see Comments below), I have added the other Registry Keys of note to obtain a Computer Name from a Windows system.
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (Look for the value of Hostname):
SOFTWARE\Microsoft\SchedulingAgent (Look at the value of OldName):
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (value: Hostname)
SOFTWARE\Microsoft\SchedulingAgent (value: OldName)
Forensic Programs of Use
AccessData Registry Viewer- http://www.accessdata.com/downloads.html
MiTeC Windows Registry Analyzer- http://www.mitec.cz/Data/XML/data_downloads.xml