A Method on Extracting Registry Information from Windows CE Memory Images

The Windows CE registry plays a very important role from physical memory and contains lots of important information that are of potential evidential value in forensic analysis. Memory acquisition and analysis is the most important in Windows CE devices forensic. The paper introduces physical memory acquisition and analysis methods in Windows environment and the procedure of memory analysis on the different kernels of windows CE device. The algorithm for extracting the registry information from the physics memory is presented and mainly composed of the following steps: judging the version of operating system, locating the ROMHDR structure, File structure and Module structure, lpszFileName traversal until to find the file name whose Suffix is. Rgu and. hv, locating the ulLoadOffset and nFileSize to find the entry address and the size of registry file. The method is proved to be effective and reliable in extracting registry file from physical memory on Windows mobile6.5 operating system.