Correlating Orphaned Windows Registry Data Structures
<p class="JDFSLParagraph">Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Association of Digital Forensics, Security and Law
2009-06-01
|
| Series: | Journal of Digital Forensics, Security and Law |
| Online Access: | http://ojs.jdfsl.org/index.php/jdfsl/article/view/163 |
| _version_ | 1819090447477243904 |
|---|---|
| author | Damir Kahved Tahar Kechadi |
| author_facet | Damir Kahved Tahar Kechadi |
| author_sort | Damir Kahved |
| collection | DOAJ |
| description | <p class="JDFSLParagraph">Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We define registry orphans and elaborate on how they can be created inadvertently during software uninstallation and other system processes. We analyse the orphans and attempt to reconstruct them automatically. We adopt a data mining approach and introduce a set of attributes that can be applied by the forensic investigator to match values to their parents. The heuristics are encoded in a Decision Tree that can discriminate between keys and select those which most likely owned a particular orphan value.</p> |
| first_indexed | 2024-12-21T22:23:58Z |
| format | Article |
| id | doaj.art-805d7d13feef44e397e84649eba9ce07 |
| institution | Directory Open Access Journal |
| issn | 1558-7215 1558-7223 |
| language | English |
| last_indexed | 2024-12-21T22:23:58Z |
| publishDate | 2009-06-01 |
| publisher | Association of Digital Forensics, Security and Law |
| record_format | Article |
| series | Journal of Digital Forensics, Security and Law |
| spelling | doaj.art-805d7d13feef44e397e84649eba9ce072022-12-21T18:48:16ZengAssociation of Digital Forensics, Security and LawJournal of Digital Forensics, Security and Law1558-72151558-72232009-06-0142395686Correlating Orphaned Windows Registry Data StructuresDamir Kahved0Tahar Kechadi1Centre for Cyber Crime Investigation, University College Dublin, IrelandCentre for Cyber Crime Investigation, University College Dublin, Ireland<p class="JDFSLParagraph">Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We define registry orphans and elaborate on how they can be created inadvertently during software uninstallation and other system processes. We analyse the orphans and attempt to reconstruct them automatically. We adopt a data mining approach and introduce a set of attributes that can be applied by the forensic investigator to match values to their parents. The heuristics are encoded in a Decision Tree that can discriminate between keys and select those which most likely owned a particular orphan value.</p>http://ojs.jdfsl.org/index.php/jdfsl/article/view/163 |
| spellingShingle | Damir Kahved Tahar Kechadi Correlating Orphaned Windows Registry Data Structures Journal of Digital Forensics, Security and Law |
| title | Correlating Orphaned Windows Registry Data Structures |
| title_full | Correlating Orphaned Windows Registry Data Structures |
| title_fullStr | Correlating Orphaned Windows Registry Data Structures |
| title_full_unstemmed | Correlating Orphaned Windows Registry Data Structures |
| title_short | Correlating Orphaned Windows Registry Data Structures |
| title_sort | correlating orphaned windows registry data structures |
| url | http://ojs.jdfsl.org/index.php/jdfsl/article/view/163 |
| work_keys_str_mv | AT damirkahved correlatingorphanedwindowsregistrydatastructures AT taharkechadi correlatingorphanedwindowsregistrydatastructures |