Title :
Carving the Windows Registry Files Based on the Internal Structure
Author :
Tang, Zhenhua ; Ding, Hong ; Xu, Ming ; Xu, Jian
Author_Institution :
Sch. of Comput., HangZhou DianZi Univ., Hangzhou, China
Abstract :
The Windows registry stores a lot of system information which can be used as forensic evidence. Numerous researchers have worked to interpret the information stored in the registry, but no definitive resource is yet available which describes how to carve the registry files from the raw disk. In this paper, a carving algorithm for the registry files based on the registry file internal structure is described. The carving method can recover the Windows registry files, and the file directory metadata is not available, even if the registry files are fragmented between two HBIN blocks. The experiments demonstrate that our method is effective for carving the Windows registry files with more accuracy than other file carving techniques.
Keywords :
computer forensics; meta data; HBIN blocks; Windows registry files; carving algorithm; file directory metadata; forensic evidence; raw disk; Application software; Data structures; Databases; File systems; Forensics; Guidelines; Hardware; Information analysis; Information science; Operating systems;
Conference_Titel :
Information Science and Engineering (ICISE), 2009 1st International Conference on
Conference_Location :
Nanjing
Print_ISBN :
978-1-4244-4909-5
DOI :
10.1109/ICISE.2009.379
