Recovering Deleted Data From the Windows Registry

Recovering Deleted Data From the Windows Registry
by Timothy D. Morgan

Abstract

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.

The recovery algorithm described in this paper is implemented in RegLookup. Additional details on the inner workings of the registry format can be found here.

Full paper (DFRWS print version) (355 kilobytes)
(Contrary to claims by Elsevier, this paper is Copyright (C) 2008 Timothy D. Morgan.)

DFRWS Presentation Slides (196 kilobytes)

The paper and presentation above are distributed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 United States License.

Content on this page, unless otherwise indicated, is © 2002-2010 Sentinel Chicken Networks.
Reproduction is authorized under our terms.