Forensic Analysis of the Windows 7 Registry

The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media. These two factors, when combined, may result in a delay in bringing a case to court. The concept of this paper is to start the initial forensic analysis of the storage media in locations that are most likely to contain digital evidence, the Windows Registry. Consequently, the forensic analysis process and the recovery of digital evidence may take less time than would otherwise be required. In this paper, the Registry structure of Windows 7 is discussed together with several elements of information within the Registry of Windows 7 that may be valuable to a forensic investigator. These elements were categorized into five groups which are system, application, networks, attached devices and the history lists. We have discussed the values of identified elements to a forensic investigator. Also, a tool was implemented to perform the function of extracting these elements and presents them in usable form to a forensics investigator

Forensic Analysis of the Windows 7 Registry

The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media. These two factors, when combined, may result in a delay in bringing a case to court. The concept of this paper is to start the initial forensic analysis of the storage media in locations that are most likely to contain digital evidence, the Windows Registry. Consequently, the forensic analysis process and the recovery of digital evidence may take less time than would otherwise be required. In this paper, the Registry structure of Windows 7 is discussed together with several elements of information within the Registry of Windows 7 that may be valuable to a forensic investigator. These elements were categorized into five groups which are system, application, networks, attached devices and the history lists. We have discussed the values of identified elements to a forensic investigator. Also, a tool was implemented to perform the function of extracting these elements and presents them in usable form to a forensics investigator

Analysis of Windows 8 Registry Artifacts

Microsoft’s series of Windows operating systems represents some of the most commonly encountered technologies in the field of digital forensics. It is then fair to say that Microsoft’s design decisions greatly affect forensic efforts. Because of this, it is exceptionally important for the forensics community to keep abreast of new developments in the Windows product line. With each new release, the Windows operating system may present investigators with significant new artifacts to explore. Described by some as the heart of the Windows operating system, the Windows registry has been proven to contain many of these forensically interesting artifacts. Given the weight of Microsoft’s influence on digital forensics and the role of the registry within Windows operating systems, this thesis delves into the Windows 8 registry in the hopes of developing new Windows forensics utilities

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics

Identifying Trace Evidence from Target-Specific Data Wiping Application Software

One area of particular concern for computer forensics examiners involves situations in which someone utilized software applications to destroy evidence. There are products available in the marketplace that are relatively inexpensive and advertised as being able to destroy targeted portions of data stored within a computer system. This study was undertaken to analyze a subset of these tools in order to identify trace evidence, if any, left behind on disk media after executing these applications. We evaluated five Windows 7 compatible software products whose advertised features include the ability for users to wipe targeted files, folders, or evidence of selected activities. We conducted a series of experiments that involved executing each application on systems with identical data, and we then analyzed the results and compared the before and after images for each application. We identified information for each application that is beneficial to forensics examiners when faced with similar situations. This paper describes our application selection process, our application evaluation methodology, and our findings, including the variability of the effects of these tools. Following this, we describe limitations of this study and suggest areas of additional research that will benefit the study of digital forensics. --from articl

Visualizing thumb drive information

Thumb drive is one of portable memory storage that widely used by people. It is popularly used because of the size. It is small in physical size, hence it easy to bring anywhere. Beside the usage of thumb drive bring benefits to the computer user, it also may be used to do crime or as a medium to do the crimes such as used to steal private and confidential data and spread the virus in targeted computer. Luckily, Windows operating system stores all the information of the thumb drive that had been connected to the machine. The information is stored in Windows Registry. Windows Registry in a Windows operating system act as a database of a machine that stores all the system configuration, hardware and software used in that computer, users of the computer, and information regarding the current user of the computer. Thus, the digital crime investigator and security analyst may identify the thumb drive that use to do the crime based on information available in the Windows Registry. This research examined on the type of thumb drive information stored in Windows Registry. A visualization technique was proposed which helps the investigator to search thumb drive information directly from Windows Explorer without using the Registry Editor tool to search the information. It may help them to cut the time of searching the information. Then, the user satisfaction on using the technique was measured by conducting a testing and evaluation session. Two security analysts were appointed to testing and evaluate the user’s satisfaction by answering questionnaire at the end of the session. The collected data from the technique and evaluation phase are then analyzed. As the result, the respondents satisfied with the technique by giving average score 3.9 for format element, 4.5 for ease of use, and 4.75 out of 5 marks for both timeliness and satisfaction with the proposed technique speed