Forensic analysis of the Windows registry in memory

Brendan Dolan-Gavitt

    Research output: Contribution to journalArticle

    Abstract

    This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

    Original languageEnglish (US)
    JournalDigital Investigation
    Volume5
    Issue numberSUPPL.
    DOIs
    StatePublished - Sep 2008

    Fingerprint

    Registries
    Data storage equipment
    Research Personnel
    Guidelines
    Values

    Keywords

    • Cached data
    • Digital forensics
    • Microsoft Windows
    • Registry
    • Volatile memory

    ASJC Scopus subject areas

    • Computer Science (miscellaneous)
    • Engineering (miscellaneous)
    • Law

    Cite this

    Forensic analysis of the Windows registry in memory. / Dolan-Gavitt, Brendan.

    In: Digital Investigation, Vol. 5, No. SUPPL., 09.2008.

    Research output: Contribution to journalArticle

    Dolan-Gavitt, Brendan. / Forensic analysis of the Windows registry in memory. In: Digital Investigation. 2008 ; Vol. 5, No. SUPPL.
    @article{05d34104627041df9fd73a911f1f52f2,
    title = "Forensic analysis of the Windows registry in memory",
    abstract = "This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.",
    keywords = "Cached data, Digital forensics, Microsoft Windows, Registry, Volatile memory",
    author = "Brendan Dolan-Gavitt",
    year = "2008",
    month = "9",
    doi = "10.1016/j.diin.2008.05.003",
    language = "English (US)",
    volume = "5",
    journal = "Digital Investigation",
    issn = "1742-2876",
    publisher = "Elsevier Limited",
    number = "SUPPL.",

    }

    TY - JOUR

    T1 - Forensic analysis of the Windows registry in memory

    AU - Dolan-Gavitt, Brendan

    PY - 2008/9

    Y1 - 2008/9

    N2 - This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

    AB - This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.

    KW - Cached data

    KW - Digital forensics

    KW - Microsoft Windows

    KW - Registry

    KW - Volatile memory

    UR - http://www.scopus.com/inward/record.url?scp=48749098660&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=48749098660&partnerID=8YFLogxK

    U2 - 10.1016/j.diin.2008.05.003

    DO - 10.1016/j.diin.2008.05.003

    M3 - Article

    AN - SCOPUS:48749098660

    VL - 5

    JO - Digital Investigation

    JF - Digital Investigation

    SN - 1742-2876

    IS - SUPPL.

    ER -