The Windows Registry as a forensic resource

2005 ◽  
Vol 2 (3) ◽  
pp. 201-205 ◽  
Author(s):  
Harlan Carvey
Keyword(s):  
Windows Registry

Windows Essentials Before We Start

2019 ◽  
pp. 72-105
Keyword(s):  
Operating System ◽  
Virtual Machines ◽  
Security Level ◽  
Experimental Setup ◽  
Command Line ◽  
Basic Concepts ◽  
Windows Registry ◽  
System File

This chapter summarizes the basic concepts related to the most targeted and widely used Windows operating system. The chapter explains Windows architecture and authentication process along with different Windows operating system tools including Windows management instrumentation command-line (WMIC), recycle bin, msinfo32, netsh (network shell), Windows services console, Windows registry, event viewer, NBTSTAT (NetBIOS over TCP/IP Status), system file checker, group policy editor, Windows firewall, Windows task manager, MSCONFIG utility, netstat (network statistics) utility, Attrib command, diskpart utility, etc. The chapter provides details of Windows powershell, an integrated scripting environment (ISE) for executing the commands at runtime as well as for developing and testing PowerShell scripts along with net commands and netsh commands. These tools are useful for diagnosing and testing the security level or condition of existing Windows installation. The Windows virtual machines created as part of experimental setup discussed as in first chapter of this book can be used to exercise the windows commands and utilities mentioned in this chapter.

Implementation of a forensic tool to examine the Windows registry

2014 ◽  
Author(s):  
Christian Leube ◽  
Knut Kröger ◽  
Reiner Creutzburg
Keyword(s):  
Windows Registry

scholarly journals Investigation of Artifacts Left by BitTorrent Client on the Local Computer Operating under Windows 8.1

2015 ◽  
Vol 44 (4) ◽  
pp. 451-461 ◽  
Author(s):  
Algimantas Venčkauskas ◽  
Vacius Jusas ◽  
Kęstutis Paulikas ◽  
Jevgenijus Toldinas
Keyword(s):  
Operating System ◽  
File System ◽  
Client Application ◽  
Local Computer ◽  
Windows Registry

BitTorrent client application is a popular tool to download large files from Internet, but this application is quite frequently used for illegal purposes that are one of the types of cybercrimes. If order to fight against this type of cybercrime we carried out the research, during which we investigated the evidences left by BitTorrent client application in registry under Windows 8.1 operating system. The experiment was carried out in three steps: installation, download, and uninstallation. The snapshots of registry were taken and compared prior and after each step. Changes in Windows registry were collected and joined into tables. The experiment revealed that BitTorrent client application creates Windows registry artefacts that can contain information which might be used as evidence during an investigation. The evidence remains in the registry even after the removal of the application, although it can really prove the fact of usage of the application only. The investigation of file system can reveal the purpose and the contents of the BitTorrent client session.DOI: http://dx.doi.org/10.5755/j01.itc.44.4.13082

scholarly journals Constructing a Lightweight Key-Value Store Based on the Windows Native Features

2019 ◽  
Vol 9 (18) ◽  
pp. 3801 ◽  
Author(s):  
Hyuk-Yoon Kwon
Keyword(s):  
State Of The Art ◽  
Main Idea ◽  
Real Data ◽  
Data Sets ◽  
Parameter Setting ◽  
Data Set ◽  
Multi Level ◽  
Windows Registry ◽  
Best Parameter ◽  
Better Than

In this paper, we propose a method to construct a lightweight key-value store based on the Windows native features. The main idea is providing a thin wrapper for the key-value store on top of a built-in storage in Windows, called Windows registry. First, we define a mapping of the components in the key-value store onto the components in the Windows registry. Then, we present a hash-based multi-level registry index so as to distribute the key-value data balanced and to efficiently access them. Third, we implement basic operations of the key-value store (i.e., Get, Put, and Delete) by manipulating the Windows registry using the Windows native APIs. We call the proposed key-value store WR-Store. Finally, we propose an efficient ETL (Extract-Transform-Load) method to migrate data stored in WR-Store into any other environments that support existing key-value stores. Because the performance of the Windows registry has not been studied much, we perform the empirical study to understand the characteristics of WR-Store, and then, tune the performance of WR-Store to find the best parameter setting. Through extensive experiments using synthetic and real data sets, we show that the performance of WR-Store is comparable to or even better than the state-of-the-art systems (i.e., RocksDB, BerkeleyDB, and LevelDB). Especially, we show the scalability of WR-Store. That is, WR-Store becomes much more efficient than the other key-value stores as the size of data set increases. In addition, we show that the performance of WR-Store is maintained even in the case of intensive registry workloads where 1000 processes accessing to the registry actively are concurrently running.

Sign in / Sign up

Export Citation Format

Share Document