XML Conversion of the Windows Registry for Forensic Processing and Distribution
نویسنده
چکیده
The Windows Registry often contains key data that help determine the activities performed on a computer. While some forensic tools format Registry data for common questions that are required to be answered in digital investigations, their output is geared for standalone use, not for indexable content. This paper describes RegXML, an XML syntax designed to represent Windows Registry hive files. RegXML captures the logical structure of a hive and notes the locations of found data within hive files. The paper also describes a Python library designed to be used with RegXML and the results obtained upon applying the library to analyze two forensic corpora. Experimental results are presented based on hundreds of disk images, thousands of hive files and tens of millions of Registry cells.
منابع مشابه
Digital forensics XML and the DFXML toolset
Digital Forensics XML (DFXML) is an XML language that enables the exchange of structured forensic information. DFXML can represent the provenance of data subject to forensic investigation, document the presence and location of file systems, files, Microsoft Windows Registry entries, JPEG EXIFs, and other technical information of interest to the forensic analyst. DFXML can also document the spec...
متن کاملForensic Analysis of Windows Registry against Intrusion
Windows Registry forensics is an important branch of computer and network forensics. Windows Registry is often considered as the heart of Windows Operating Systems because it contains all of the configuration setting of specific users, groups, hardware, software, and networks. Therefore, Windows Registry can be viewed as a gold mine of forensic evidences which could be used in courts. This pape...
متن کاملSuspects’ data hiding at remaining registry values of uninstalled programs1
Windows registry, a central repository for configuration data, should be investigated for obtaining forensic evidences, since it contains lots of information that are of potential evidential value. Using some forensic tools, forensic examiners can investigate values of windows registry and get information can be forensic evidences. However, since windows registry contains huge amount of values ...
متن کاملWindows Registry Forensics: An Imperative Step in Tracking Data Theft via USB Devices
Owing to the increasing pace of occurrence of crimes in digital world, cyber forensic investigation is becoming a burning topic in the field of information security. Registry is an important location in Windows system that contains footprints of user activities and other configuration data, which may be valuable for forensic investigators in collecting potential evidences from the system. This ...
متن کاملA Forensic Analysis of the Windows Registry
This paper will introduce the Microsoft Windows Registry database and explain how critically important a registry examination is to computer forensics experts. In essence, the paper will discuss various types of Registry footprints and delve into examples of what crucial information can be obtained by performing an efficient and effective forensic examination. Many of the Registry keys that a...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2012