Abstract

Windows registry is an excellent source of information for computer forensic purposes. The registry stores data physically on a disk in several hive files. Just like a file system, registry hive files contain used and free clusters of data. So far, the focus in Windows registry forensics has been on active keys and values that can be viewed with Windows registry editors. It has been a mystery, whether deleted or updated keys can be recovered from registry hive files, in a similar way that deleted files can be recovered from a file system.

This project studies the physical structure of the binary registry hive files and shows that previously deleted or updated keys and their values indeed remain in the unallocated space until they become overwritten. The project proposes an algorithm for computing of unallocated space in registry hives as well as methods for recovery of deleted keys remaining in the unallocated space.

Download: Final Version (1.6 megabytes)