Forensic Analysis of Unallocated Space in Windows Registry Hive Files
by Jolanta Thomassen
The following paper is being mirrored with permission of the author, who retains copyright.


Abstract

Windows registry is an excellent source of information for computer forensic purposes. The registry stores data physically on a disk in several hive files. Just like a file system, registry hive files contain used and free clusters of data. So far, the focus in Windows registry forensics has been on active keys and values that can be viewed with Windows registry editors. It has been a mystery, whether deleted or updated keys can be recovered from registry hive files, in a similar way that deleted files can be recovered from a file system.

This project studies the physical structure of the binary registry hive files and shows that previously deleted or updated keys and their values indeed remain in the unallocated space until they become overwritten. The project proposes an algorithm for computing of unallocated space in registry hives as well as methods for recovery of deleted keys remaining in the unallocated space.


Download: Final Version (1.6 megabytes)






Content on this page, unless otherwise indicated, is © 2002-2010 Sentinel Chicken Networks.
Reproduction is authorized under our terms.