| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 456538 | Digital Investigation | 2008 | 9 Pages |
Abstract
The Windows registry serves as a primary storage location for system configurations and as such provides a wealth of information to investigators. Numerous researchers have worked to interpret the information stored in the registry from a digital forensic standpoint, but no definitive resource is yet available which describes how Windows deletes registry data structures under NT-based systems. This paper explores this topic and provides an algorithm for recovering deleted keys, values, and other structures in the context of the registry as a whole.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Timothy D. Morgan,