Correlating Orphaned Windows Registry Data Structures

Damir Kahvedžić
Centre for Cyber Crime Investigation,
University College Dublin, Ireland,
Tel: +353 1 716 2485
Email: damir.kahvedzic@ucd.ie

Tahar Kechadi
Centre for Cyber Crime Investigation,
University College Dublin, Ireland,
Tel: +353 1 716 2478
Email: tahar.kechadi@ucd.ie
 

ABSTRACT

Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We define registry orphans and elaborate on how they can be created inadvertently during software uninstallation and other system processes. We analyse the orphans and attempt to reconstruct them automatically. We adopt a data mining approach and introduce a set of attributes that can be applied by the forensic investigator to match values to their parents. The heuristics are encoded in a Decision Tree that can discriminate between keys and select those which most likely owned a particular orphan value.

Keywords: Windows Registry, Data Structures, Retrieval, Orphans, Correlation