Skip to Main content Skip to Navigation
Conference papers

A Consistency Study of the Windows Registry

Abstract : This paper proposes a novel method for checking the consistency of forensic registry artifacts by gathering event information from the artifacts and analyzing the event sequences based on the associated timestamps. The method helps detect the use of counter-forensic techniques without focusing on one particular counter-forensic tool at a time. Several consistency checking models are presented to verify events derived from registry artifacts. Examples of these models are used to demonstrate how evidence of alteration may be detected.
Document type :
Conference papers
Complete list of metadatas

Cited literature [8 references]  Display  Hide  Download

https://hal.inria.fr/hal-01060611
Contributor : Hal Ifip <>
Submitted on : Monday, November 27, 2017 - 5:15:29 PM
Last modification on : Thursday, March 5, 2020 - 4:46:43 PM

File

ZhuJG10.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Yuandong Zhu, Joshua James, Pavel Gladyshev. A Consistency Study of the Windows Registry. 6th IFIP WG 11.9 International Conference on Digital Forensics (DF), Jan 2010, Hong Kong, China. pp.77-90, ⟨10.1007/978-3-642-15506-2_6⟩. ⟨hal-01060611⟩

Share

Metrics

Record views

188

Files downloads

276