Abstract
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.
Original language | English (US) |
---|---|
Pages (from-to) | S26-S32 |
Journal | Digital Investigation |
Volume | 5 |
Issue number | SUPPL. |
DOIs | |
State | Published - Sep 2008 |
Keywords
- Cached data
- Digital forensics
- Microsoft Windows
- Registry
- Volatile memory
ASJC Scopus subject areas
- Pathology and Forensic Medicine
- Information Systems
- Computer Science Applications
- Medical Laboratory Technology
- Law