Comprehensive Forensic Data Extraction and Representation System for Windows Registry

Abstract

Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. When considering computer forensics, registry forensics plays a vital role because it helps identifying system configurations, application details, user configurations and helps in finding registry malware. Therefore, it is significant to extract this registry information to simplify the investigations for forensic professionals. At present, tools are limited to few commonly used registry information and there is a much border area to cover. Investigators have to manually search for the registries for required artifacts. But the nature and complexity of the registry file structure limits most of the investigators using these registries. Limiting this registry analysis only to the physical registry files and not considering the ability of extraction of registry information from Volatile Memory is another significant issue in registry forensics. Because these tools are only rely on the physical registry files and cannot extract registry artifacts from Volatile Memory. In order to cater to this problem, this research provide a comprehensive solution to registry analysis. This system is capable of extracting registry information from both physical registry files and Volatile Memory.