Research Paper – Recovering deleted data from the Windows registry

by Timothy D. Morgan

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.

This paper can be downloaded below.


Editor’s note: This work was originally published by VSR in 2008 at the Digital Forensic Research Workshop (DFRWG 2008) and also posted to https://www.vsecurity.com/download/publications/p33-morgan.pdf. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. 

Call us before you need us.

Our experts will help you.

Get in touch
%d bloggers like this: