Research Paper – Recovering deleted data from the Windows registry

by Timothy D. Morgan

The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.

This paper can be downloaded below.

Editor’s note: This work was originally published by VSR in 2008 at the Digital Forensic Research Workshop (DFRWG 2008) and also posted to VSR is now a part of NCC Group, so we have migrated this content to