WINDOWS REGISTRY: A GENERALIZED METHODOLOGY BASED ON CROSS-VALIDATED FORENSIC ANALYSIS

Abstract

Enhancement in technology is rapidly increasing the usage of computer devices. With the increase in usage and due to the popularity of Microsoft Windows, more than 80% of computer users work on windows operating system that brings into play Windows Registry as a repository which keeps configuration of almost all applications. Following a Windows based digital crime; Data stored in Windows Registry is important for collecting evidence in most of the digital forensic investigations. Registry evidence helps in solving the puzzle of whom, what, when and how in forensics analysis. Collection of relevant artifacts from Windows Registry corpus is a cumbersome task which requires a lot of time and effort. In this research, a generalized methodology is introduced in the field of Windows Registry Forensics to collect forensic artifacts produced as a result of an examination performed on an application or activity with minimum contamination. The proposed methodology will define a simple way to perform Windows Registry forensics and will be helpful for researchers and forensic investigators working on Registry Forensics. Resulted methodology is produced after execution and comparison of different types of forensic tools. Proposed methodology will be a mixture for multiple forensic tools which can be used in a way to efficiently extract and analyze the artifacts. Filtration and validation process is part of the methodology and will help in collection of most relevant and purified Windows registry artifacts. Digital forensic researchers can use such methodology to efficiently perform research in the field of Windows registry forensics to filter out most worthy registry values which will be revealing traces about the users’ activities performed in a Windows based environment. It will simplify digital investigations related to Windows Operating System.