Forensic analysis of the Windows registry in memory

被引：42

作者：

Dolan-Gavitt, Brendan ^{[1
]}

机构：

[1] Mitre Corp, Bedford, MA 01730 USA

来源：

DIGITAL INVESTIGATION | 2008年 / 5卷 / S26-S32期

关键词：

Digital forensics; Microsoft Windows; Volatile memory; Registry; Cached data;

D O I：

10.1016/j.diin.2008.05.003

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory. (c) 2008 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.

引用

页码：S26 / S32

页数：7

共 25 条

[1]

Anand G, 2008, INTERNAL STRUCTURES

[2] The Windows Registry as a forensic resource [J].

Carvey, H .

DIGITAL INVESTIGATION, 2005, 2 (03) :201-205

[3]

Carvey H., 2007, WINDOWS FORENSIC ANA

[4]

CARVEY H, 2005, REGISTRY MINING

[5]

*DFRWS, 2005, DFRWS 2005 FOR AN

[6] The VAD tree: A process-eye view of physical memory [J].

Dolan-Gavitt, Brendan .

DIGITAL INVESTIGATION, 2007, 4 :S62-S64

[7]

DOLANGAVITT B, 2008, CELL INDEX TRANSLATI

[8]

DOLANGAVITT B, 2008, SYSKEY SAM

[9]

DOLANGAVITT B, 2008, ENUMERATING REGISTRY

[10]

DOLANGAVITT B, 2008, READING OPEN KEYS

← 1 2 3 →