Last spring, Jolanta Thomassen (JT) contacted me asking for ideas for her master's thesis project. I threw out the idea of locating and retrieving deleted keys from within hive files. An online search revealed a question posted about this back in 2001 (by me), but almost nothing since then.
JT is almost done with her thesis and has had working code for some time. This past summer at DFRWS, Tim Morgan presented his own research into this area. James Macfarlane recently released an update to his ParseWin32Registry Perl module, which provides the basis for allowing you to locate deleted keys, as well.
While I wouldn't say that this is a great number of people focused on this area of research, I would suggest that it is an area that has been in need of research, and the results so far have been pretty eye opening.
Some of what Jolanta has found also includes the fact that some Registry "cleaners" will also remove the unallocated space from hive files.
Is there anyone else out there who is interested in this area of research…not doing it so much as the results? From my own personal perspective, this is yet another data point that can be used to correlate and corroborate other data, building a more complete picture for the analyst. However, my concern (primarily from reviewing public forums/forii) is that Registry analysis itself already overwhelms many analysts, so adding an additional source of data will simply add to that, and as a result, it won't be used. However, as an analyst in the corporate world, I can easily see how adding this analysis to my methodology will create a business differentiator for my employer, providing a more thorough and more complete analysis.
Thoughts?
Harlan,
Registry artifacts are an invaluable tool for forensic analysts but I do not think that forensic computer analysts are overwhelmed by the Registry, rather I think the 'Judge & Jury' would be.
I think that when required to give evidence in a court of Law, forensic computer practioners have a duty to enable the 'Judge & Jury' to develop an understanding of the pertinent aspects of a case without them having to make a paradigm jump into the surreal world of 'The Registry'.
Thoughts?
Neddy,
I'm not sure what the issue is, to be honest. "Paradigm jump"? How so? It's a simple matter of explaining that when certain things happen on a computer, just like in a real-world crime scenes, certain artifacts are left. You know…Locard's Principle.
Someone walking across a carpet in dirty shoes leaves footprints. Web browser activity leaves 'footprints'. Downloading and viewing graphic images leaves 'footprints'…more than just MAC times being adjusted.
If a forensic analyst can explain to a jury how file MAC times are modified and why they're important, but cannot do so with respect to Registry artifacts…maybe they *are* overwhelmed.
Harlan,
I totally see your point mate and I agree with your argument in principle. However, I still think the main reason forensic analysts dont focus on the registry is because it is a concept that is extremely difficult in broad terms to explain to the layman or woman. MAC times are a concept that a person who is familiar with train timetables can get a grip on but I would suggest that registry settings are a concept that is way beyond the laymans understanding due to their Boyce Coddish nature!
I was going to say in my original reply to your post that if the Juror did not understand the evidence they would have to believe the person giving it in order to bypass the paradigm jump, thus defeating the logical purpose of the expert. On the other hand a good counsel could convince them otherwise and out the window goes all your hard work because you tried to explain relational database principles to a valued member of society that wonders why the sky is blue.