Forensic analysis of the Windows registry in memory

Brendan Dolan-Gavitt

doi:10.1016/j.diin.2008.05.003

Forensic analysis of the Windows registry in memory

Brendan Dolan-Gavitt

Research output: Contribution to journal › Article

Abstract

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

Original language	English (US)
Pages (from-to)	S26-S32
Journal	Digital Investigation
Volume	5
Issue number	SUPPL.
DOIs	https://doi.org/10.1016/j.diin.2008.05.003
State	Published - Sep 2008

Keywords

Cached data
Digital forensics
Microsoft Windows
Registry
Volatile memory

ASJC Scopus subject areas

Pathology and Forensic Medicine
Information Systems
Computer Science Applications
Medical Laboratory Technology
Law

Access to Document

10.1016/j.diin.2008.05.003

Fingerprint Dive into the research topics of 'Forensic analysis of the Windows registry in memory'. Together they form a unique fingerprint.

Cite this

Dolan-Gavitt, B. (2008). Forensic analysis of the Windows registry in memory. Digital Investigation, 5(SUPPL.), S26-S32. https://doi.org/10.1016/j.diin.2008.05.003

@article{05d34104627041df9fd73a911f1f52f2,

title = "Forensic analysis of the Windows registry in memory",

abstract = "This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.",

keywords = "Cached data, Digital forensics, Microsoft Windows, Registry, Volatile memory",

author = "Brendan Dolan-Gavitt",

year = "2008",

month = sep,

doi = "10.1016/j.diin.2008.05.003",

language = "English (US)",

volume = "5",

pages = "S26--S32",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Limited",

number = "SUPPL.",

}

TY - JOUR

T1 - Forensic analysis of the Windows registry in memory

AU - Dolan-Gavitt, Brendan

PY - 2008/9

Y1 - 2008/9

N2 - This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

AB - This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

KW - Cached data

KW - Digital forensics

KW - Microsoft Windows

KW - Registry

KW - Volatile memory

UR - http://www.scopus.com/inward/record.url?scp=48749098660&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48749098660&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2008.05.003

DO - 10.1016/j.diin.2008.05.003

M3 - Article

AN - SCOPUS:48749098660

VL - 5

SP - S26-S32

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

IS - SUPPL.

ER -