Forensic Analysis of the Windows 7 Registry

Authors

Khawla Abdulla Alghafli, Khalifa University of Science, Technology and ResearchFollow
Andrew Jones, Khalifa University of Science, Technology and ResearchFollow
Thomas Anthony Martin, Khalifa University of Science, Technology and ResearchFollow

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University, Perth, Western Australia

Abstract

The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media. These two factors, when combined, may result in a delay in bringing a case to court. The concept of this paper is to start the initial forensic analysis of the storage media in locations that are most likely to contain digital evidence, the Windows Registry. Consequently, the forensic analysis process and the recovery of digital evidence may take less time than would otherwise be required. In this paper, the Registry structure of Windows 7 is discussed together with several elements of information within the Registry of Windows 7 that may be valuable to a forensic investigator. These elements were categorized into five groups which are system, application, networks, attached devices and the history lists. We have discussed the values of identified elements to a forensic investigator. Also, a tool was implemented to perform the function of extracting these elements and presents them in usable form to a forensics investigator.

Comments

8th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, November 30th 2010

DOI

10.4225/75/57b28e3440cd5