Jump to content
Nytro

Recovering deleted data from the Windows registry5

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Recovering deleted data from the Windows registry

Timothy D. Morgan

VSR Investigations, LLC, Boston, Massachusetts, United States

a b s t r a c t

The Windows registry serves as a primary storage location for system configurations and as

such provides a wealth of information to investigators. Numerous researchers have worked

to interpret the information stored in the registry from a digital forensic standpoint, but no

definitive resource is yet available which describes how Windows deletes registry data structures

under NT-based systems. This paper explores this topic and provides an algorithm for

recovering deleted keys, values, and other structures in the context of the registry as awhole.

ª 2008 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.

1. Introduction

The Windows registry stores a wide variety of information,

including core system configurations, user-specific configuration,

information on installed applications, and user credentials.

In addition, each registry key records a time stamp

when modified which can aid in event reconstruction. This

makes the Windows registry a critical resource for digital

forensic investigations conducted against the Windows platform,

as numerous researchers have shown.

Little information has been published by Microsoft related

to the specifics of how registry information is organized into

data structures on disk. Fortunately, various open source

projects have worked to understand and publish these

technical details in order to write software compatible with

Microsoft’s registry format. However, no public resource

was yet available describing what happens to registry data

when it is deleted under Windows NT-based systems, 1 let

alone how a forensic examiner might reliably recover this information

in the context of a registry hive. Here, we attempt

to shed light on questions related to the deletion of registry

data structures and suggest an algorithm for recovering this

information.

Download:

http://www.dfrws.org/2008/proceedings/p33-morgan.pdf

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...