by Timothy D. Morgan
The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.
This paper can be downloaded below.
Editor’s note: This work was originally published by VSR in 2008 at the Digital Forensic Research Workshop (DFRWG 2008) and also posted to https://www.vsecurity.com/download/publications/p33-morgan.pdf. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com.