Abstract
The Microsoft Windows registry is an important resource in digital forensic investigations. It contains information about operating system configuration, installed software and user activity. Several researchers have focused on the forensic analysis of the Windows registry, but a robust method for associating past events with registry data values extracted from Windows restore points is not yet available. This paper proposes a novel algorithm for analyzing the most recently used (MRU) keys found in consecutive snapshots of the Windows registry. The algorithm compares two snapshots of the same MRU key and identifies data values within the key that have been updated in the period between the two snapshots. User activities associated with the newly updated data values can be assumed to have occurred during the period between the two snapshots.
Keywords
Download to read the full chapter text
Chapter PDF
References
H. Carvey, The Windows registry as a forensic resource, Digital Investigation, vol. 2(3), pp. 201–205, 2005.
H. Carvey, Windows Forensic Analysis, Syngress, Burlington, Massachusetts, 2007.
B. Harder, Microsoft Windows XP system restore, Microsoft Corporation, Redmond, Washington (technet.microsoft.com/en-us/lib rary/ms997627.aspx), 2001.
K. Harms, Forensic analysis of system restore points in Microsoft Windows XP, Digital Investigation, vol. 3(3), pp. 151–158, 2006.
J. Holderness, MRU lists (Windows 95) (www.geocities.com/Silicon Valley/4942/mrulist.html), 1998.
E. Kohl and J. Schmied, comctl32undoc.c, Wine Cross Reference (source.winehq.org/source/dlls/comctl32/comctl32undoc.c), 2000.
V. Mee, T. Tryfonas and I. Sutherland, The Windows registry as a forensic artifact: Illustrating evidence collection for Internet usage, Digital Investigation, vol. 3(3), pp. 166–173, 2006.
Microsoft Corporation, Windows registry information for advanced users, Redmond, Washington (support.microsoft.com/kb/256986), 2008.
B. Sheldon, Forensic analysis of Windows systems, in Handbook of Computer Crime Investigation: Forensic Tools and Technology, E. Casey (Ed.), Academic Press, London, United Kingdom, pp. 133–166, 2002.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Zhu, Y., Gladyshev, P., James, J. (2009). Temporal Analysis of Windows MRU Registry Keys. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics V. DigitalForensics 2009. IFIP Advances in Information and Communication Technology, vol 306. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04155-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-04155-6_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04154-9
Online ISBN: 978-3-642-04155-6
eBook Packages: Computer ScienceComputer Science (R0)