Digital Forensic Identification, Collection, Examination and Decoding of Windows Registry Keys for Discovering User Activities Patterns

International Journal of Computer Trends and Technology (IJCTT)          
© 2014 by IJCTT Journal
Volume-17 Number-2
Year of Publication : 2014
Authors : Abhijeet Ramani , Somesh Kumar Dewangan


Abhijeet Ramani , Somesh Kumar Dewangan. "Digital Forensic Identification, Collection, Examination and Decoding of Windows Registry Keys for Discovering User Activities Patterns". International Journal of Computer Trends and Technology (IJCTT) V17(2):101-111, Nov 2014. ISSN:2231-2803. Published by Seventh Sense Research Group.

Abstract -
The Key study in this paper is to begin the investigation process with the initial forensic analysis in the segments of the storage media which would definitely contain the digital forensic evidences. These Storage media Locations is referred as the Windows registry. Identifying the forensic evidence from windows registry may take less time than required in the case of all locations of a storage media. Our main focus in this research will be to study the registry structure of Windows 7 and identify the useful information within the registry keys of windows 7 that may be extremely useful to carry out any task of digital forensic analysis. The main aim is to describe the importance of the study on computer & digital forensics. The Idea behind the research is to implement a forensic tool which will be very useful in extracting the digital evidences and present them in usable form to a forensic investigator. The work includes identifying various events registry keys value such as machine last shut down time along with machine name, List of all the wireless networks that the computer has connected to; List of the most recently used files or applications, List of all the USB devices that have been attached to the computer and many more. This work aims to point out the importance of windows forensic analysis to extract and identify the hidden information which shall act as an evidence tool to track and gather the user activities pattern. All Research was conducted in a Windows 7 Environment.

[1] Ramani, A & Dewangan, S (2014). Auditing Windows 7 Registry Keys to track the traces left out in copying files from system to external USB Device. Retrieved August,2014, from Volume%205/ vol5issue02/ijcsit2014050220.pdf
[2] Carvey, H.(2011). Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry. Burlington: Syngress.
[3] Farmer, D.J.(n.d.). A windows registry Quick Reference: For the Everyday Examiner. Retrieved December, 2013, from
[4] Windows registry information for advanced users. Retrieved December 2013, from Microsoft Support.
[5] Barbara, J.J.(2011).Windows 7 Registry Forensics. Retrieved January, 2014, from 06/windows-7-registry-forensics-part-5#.Uv-TkPtfaSo
[6] Wong, L.W.(n. d.).Forensic Analysis of Windows Registry. Retrieved January, 2014, from /digital_forensics/forensic_analysis_of_windows_registry_by_lih_ wern_wong.pdf
[7] Jain, A & Roy, T.(2012).Windows Registry Forensics: An Imperative Step in Tracking Data Theft via USB Devices. Retrieved January, 2014, from ijcsit20120303126.pdf
[8] Alghafli, K.A & Jones, A & Martin T.A. (2010) .Forensic Analysis of the Windows 7 Registry. Retrieved Retrieved January, 2014, from Edith Cawan University Research online. viewcontent.cgi?article=1071&context=adf
[9] Fisher, T. (n.d.). Windows Registry. Retrieved January, 2014, from
[10] Fisher, T. (n.d.). Registry Hives. Retrieved January, 2014, from
[11] Fisher, T. (n.d.). HKEY_CLASSES_ROOT Retrieved January, 2014, from classes_ root.htm
[12] Fisher, T. (n.d.). HKEY_CURRENT_USER. Retrieved January, 2014, from
[13] Fisher, T. (n.d.). HKEY_LOCAL_MACHINE. Retrieved January, 2014, from local_ machine.htm
[14] Fisher, T. (n.d.). HKEY_USERS. Retrieved January, 2014, from
[15] Fisher, T. (n.d.). HKEY_CURRENT_CONFIG. Retrieved January, 2014 from current_config.htm
[16] Liming Cai & Jing Sha & Wei Qian (2013). Study on Forensic Analysis of Physical Memory. Retrieved March 2014 from paper.php?id=10172
[17] Haoyang Xie & Keyu Jiang Xiaohong Yuan & Hongbiao Zeng (2012). Forensic Analysis of Windows Registry Against Intrusion. Retrieved July 2014 from Windows %20Registry%20Against%20Intrusion.pdf
[18] Lih Wern Wong (n.d.).Forensic Analysis of the Windows Registry.Retrieved July 2014 From 55972/Forensic-Analysis-of-Windows-Registry-by-Lih-Wern-Wong
[19] Yuri Gubanov (2012).Retrieving Digital Evidence: Methods, Techniques and Issues.Retrieved on July 2014 From /en/retrieving-digital-evidence-methods-techniques-and-issues
[20] Jerry Honeycutt (2005).Microsoft Windows Registry Guide 2nd Edition. Retrieved on october 2014 from
[21] "" [Online] Available: /ms7248 71%28v=vs.85%29.aspx
[22] "" [Online] Available: ms7248 77%28v=vs.85%29.aspx
[23] "" [Online] Available:
[24] "sqlcoffee" [Online] Available:Available: "gaurangpatel" [Online]
[25] Available: reboot-required-error [26] "microsoft" [Online]
Available: id=23691
[27] "" [Online] Available: (v=vs.100).aspx
[28] "" [Online] Available: (v=vs.110).aspx
[29] "" [Online] Available: 1(v=vs.100).aspx
[30] "" [Online] Available: (v=vs.100).aspx
[31] "" [Online] Available: (v=vs.71).aspx
[32] "" [Online] Available: registry(v=vs.71).aspx
[33] "" [Online] Available: registrykey(v=vs.100).aspx
[34] "" [Online] Available: (v=vs.100).aspx
[35] "" [Online] Available: (v=vs.110).aspx
[36] "" [Online] Available: (v=vs.100).aspx

Windows Registry, Windows 7 Forensic Analysis, Windows Registry Structure, Analysing Registry Key, Digital Forensic Identification, Forensic data Collection, Examination of Windows Registry, Decoding of Windows Registry Keys, Discovering User Activities Patterns, Computer Forensic Investigation Tool.