Forensic analysis of the Windows registry in memory

Brendan Dolan-Gavitt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

    Original languageEnglish (US)
    Title of host publicationDFRWS 2008 Annual Conference
    StatePublished - 2008
    Event8th Annual Digital Forensic Research Workshop, DFRWS 2008 - Baltimore, MD, United States
    Duration: Aug 11 2008Aug 13 2008


    Other8th Annual Digital Forensic Research Workshop, DFRWS 2008
    Country/TerritoryUnited States
    CityBaltimore, MD


    • Cached data
    • Digital forensics
    • Microsoft Windows
    • Registry
    • Volatile memory

    ASJC Scopus subject areas

    • Information Systems


    Dive into the research topics of 'Forensic analysis of the Windows registry in memory'. Together they form a unique fingerprint.

    Cite this