• DocumentCode
    2232057
  • Title

    Carving the Windows Registry Files Based on the Internal Structure

  • Author

    Tang, Zhenhua ; Ding, Hong ; Xu, Ming ; Xu, Jian

  • Author_Institution
    Sch. of Comput., HangZhou DianZi Univ., Hangzhou, China
  • fYear
    2009
  • fDate
    26-28 Dec. 2009
  • Firstpage
    4788
  • Lastpage
    4791
  • Abstract
    The Windows registry stores a lot of system information which can be used as forensic evidence. Numerous researchers have worked to interpret the information stored in the registry, but no definitive resource is yet available which describes how to carve the registry files from the raw disk. In this paper, a carving algorithm for the registry files based on the registry file internal structure is described. The carving method can recover the Windows registry files, and the file directory metadata is not available, even if the registry files are fragmented between two HBIN blocks. The experiments demonstrate that our method is effective for carving the Windows registry files with more accuracy than other file carving techniques.
  • Keywords
    computer forensics; meta data; HBIN blocks; Windows registry files; carving algorithm; file directory metadata; forensic evidence; raw disk; Application software; Data structures; Databases; File systems; Forensics; Guidelines; Hardware; Information analysis; Information science; Operating systems;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Information Science and Engineering (ICISE), 2009 1st International Conference on
  • Conference_Location
    Nanjing
  • Print_ISBN
    978-1-4244-4909-5
  • Type

    conf

  • DOI
    10.1109/ICISE.2009.379
  • Filename
    5455505
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2232057