Digital Evidence Analysis: Windows Registry Decoder

On this page, find:

Windows Registry: Digital Forensics Challenges

Microsoft Windows registries contain a wealth of forensically important information including a history of attached devices, a list of user accounts, URLs typed into local Web browsers and information about network shares.

Unfortunately, existing digital forensics tools for processing the Windows registry are limited in functionality and difficult to use. These tools require the investigator to know exactly where useful information is stored in the registry, an overwhelming task even for experienced investigators and a nearly impossible one for new investigators. Although existing tools target specific areas of the registry and automatically extract useful information, they parse only limited portions of the registry and are difficult to extend without directly modifying the application or programming additional modules.

Furthermore, existing tools require investigators to understand the critical differences between registry layouts in every single version of Windows and to be able to interpret and correlate an overwhelming amount of registry data correctly.

Tools to Extract Windows Registry Information

NIJ supports the development of tools to assist investigators in extracting Windows registry information. Registry Decoder, a set of automated forensic acquisition, examination and analysis tools is being developed by Digital Forensics Solutions under a NIJ grant.

The Registry Decoder will recover, parse and report relevant data from seized computer operating system registry keys.

This tool will be usable for both traditional "dead" forensics against hard drive images as well as live (triage) analysis of running machines. Registry Decoder will be easily customizable and provide an interface for the law enforcement investigator to quickly identify what information is most crucial for their case, extract that data and render it into a report format. Additional information will be provided to give the investigator practical insight into the meaning and relevance of the data collected. Registry Decoder will also examine values in the current Windows registry alongside copies of the registry stored by the system restore point facility, cross-referencing this information and helping to reconstruct a historical background of the system under investigation.

The tool is expected to be available in early 2011.

Date Created: November 5, 2010