Forensic analysis of the Windows registry in memory

DFRWS 2008 Annual Conference

Volumn 5, Issue , 2008, Pages

  Dolan Gavitt, Brendan ^a  

^a MITRE CORPORATION   (United States)

Author keywords

Cached data; Digital forensics; Microsoft Windows; Registry; Volatile memory

Indexed keywords

DIGITAL FORENSICS; DIGITAL STORAGE; ELECTRONIC CRIME COUNTERMEASURES; TREES (MATHEMATICS);

ANALYSIS TECHNIQUES; CACHED DATA; FORENSIC ANALYSIS; MICROSOFT WINDOWS; REGISTRY; TOOLS AND TECHNIQUES; VOLATILE MEMORY; WINDOWS REGISTRY;

COMPUTER FORENSICS;

EID: 77955345007     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (27)

1. ReactOS, 〈http://www.reactos.org/en/index.html〉.
2. Anand G. Internal structures of the Windows registry. 〈http://blogs.technet.com/ganand/archive/2008/01/05/internalstructures-of- the-windows-registry.aspx〉, 2008.
3. Carvey H. The Windows registry as a forensic resource. Digital Investigation 2005a;2(3):201-5. (Pubitemid 41261446)
4. Carvey H. Registry mining. 〈http://windowsir.blogspot.com/2005/01/ registry-mining.html〉, 2005b.
5. Carvey H. Windows forensic analysis. Norwell, MA, US: Syngress, ISBN 159749156X; 2007.
6. DFRWS. The DFRWS 2005 forensic challenge. 〈http://www.dfrws.org/ 2005/challenge/index.html〉, 2005.
7. Dolan-Gavitt B. The VAD tree: a process-eye view of physical memory. Digital Investigation, http://dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf, September 2007;4:62-4. (Pubitemid 47081448)
8. Dolan-Gavitt B. Cell index translation.〈http://moyix.blogspot.com/ 2008/02/cell-index-translation.html〉, 2008a.
9. Dolan-Gavitt B. Enumerating registry hives. 〈http://moyix.blogspot. com/2008/02/enumerating-registry-hives.html〉, 2008b.
10. Dolan-Gavitt B. Reading open keys. 〈http://moyix.blogspot.com/2008/ 02/reading-open-keys.html〉, 2008c.
11. Dolan-Gavitt B. SysKey and the SAM. 〈http://moyix.blogspot.com/2008/ 02/syskey-and-sam.html〉, 2008d.
12. F-Secure. F-Secure virus descriptions: slammer. 〈http://www.f- secure.com/v-descs/mssqlm.shtml〉, 2003.
13. Farmer DJ. A forensic analysis of the Windows registry. 〈http://eptuners.com/forensics/Index.htm〉, 2007.
14. Kent K, Chevalier S, Grance T, Dang H. NIST special publication 800-86: guide to integrating forensic techniques into incident response. 2006.
15. Macfarlane J. Parse:Win32Registry. 〈http://search.cpan.org/ jmacfarla/Parse-Win32Registry-0.30/〉.
16. Metasploit. Metasploit framework user guide. 〈http://www.metasploit. com/documents/users-guide.pdf〉, 2008.
17. Microsoft Corporation. Windows registry information for advanced users. 〈http://support.microsoft.com/kb/256986〉, 2008.
18. National Institute of Standards and Technology (NIST). The CFReDS project. 〈http://www.cfreds.nist.gov/〉.
19. Petroni Jr NL, Fraser T, Walters A, Arbaugh WA. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In: USENIXSS' 06: Proceedings of the 15th Conference on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association; 2006. p. 20.
20. Russinovich ME, Solomon DA. Microsoft Windows internals, Fourth edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (pro-developer). Redmond, WA, USA: Microsoft Press, ISBN 0735619174; 2004.
21. Samba. Regfio library. 〈http://viewcvs.samba.org/cgi-bin/viewcvs. cgi/branches/SAMBA-4-0/source/lib/registry/〉.
22. Schuster A. Searching for processes and threads in Microsoft Windows memory dumps. In: Proceedings of the sixth Annual Digital Forensic Research Workshop (DFRWS 2006). 〈http://www.dfrws.org/2006/proceedings/2-Schuster. pdf〉, 2006.
23. Schuster A. PoolTools version 1.3.0. 〈http://computer.forensikblog. de/en/2007/11/pooltools-1-3-0.html〉, 2007.
24. Stevens D. UserAssist. 〈http://blog.didierstevens.com/programs/ userassist/〉, 2006.
25. Walters A. FATKit: detecting malicious library injection and upping the "anti", Technical report. 4TφResearch Laboratories; July 2006.
26. Walters A. The Volatility framework: volatile memory artifact extraction utility framework. 〈https://www.volatilesystems.com/default/ volatility〉, 2007.
27. Walters A, Petroni NL, Jr., Volatools: integrating volatile memory forensics into the digital investigation process. In: Black Hat DC; 2007.