by Chirath De Alwis
Computer forensics is the process of methodically examining computer media (hard disks, diskettes, tapes, etc.) for evidence. When considering computer forensics, registry forensics plays a huge role because of the amount of the data that is stored on the registry and the importance of the stored data. The extraction of this data is therefore highly important when investigating. Due to the limitation of tools that can extract forensically valuable data from registry files, investigators have to extract it manually. Because of the registry file format (.REG), extracting information is a challenging task for investigators. Registry files normally store data under unique values called “Keys”. One challenge that investigators must face is the lack of knowledge about Registry Keys and the data which stored under those Keys. This article provide an overview of registry file acquisition, registry structure and common issues in registry analysis.