Oct 042012

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices. Modern forensic literature and tools do not reflect these changes – hence this post.




Pavel Gladyshev

Dr. Pavel Gladyshev is a lecturer at the University College Dublin (Ireland), where he is directing MSc programme in Forensic Computing and Cybercrime Investigation. Dr. Gladyshev holds a PhD in the field of Digital Forensics and is one of the founders of the state machine theory of digital forensic analysis. His current research interests focus on forensic analysis of IT cloud environments, open source hardware solutions for digital forensics, automated malware forensics, and related areas. Dr. Gladyshev has been working with the law enforcement since 1998 when he designed the first training course in cybercrime investigation for the Irish national police service. Prior to joining the university Dr. Gladyshev worked as an IT forensics analyst at the Dublin practice of Ernst & Young and he is still actively working as a consultant in criminal and civil investigations. Dr. Gladyshev serves on the INTERPOL steering committee on IT Crime. He is a member of the steering committee of ICST International Conference on Digital Forensics and Cyber crime (ICDF2C) and a member of editorial boards of several journals and conferences including Elsevier's Digital Investigation journal. In March 2012, Dr. Gladyshev was elected the Chair of the Standards Committee of the Consortium of Digital Forensic Specialists (CDFS).

  3 Responses to “Some Pitfalls of Interpreting Forensic Artifacts in Windows Registry”

  1. Thank you for sharing your observations and Learning.

  2. Thanks. a very interesting read and I look forward to playing with the bash scripts :)

  3. Daniel Beaulieu

    I cannot thanks enough for that article.Really thank you!

 Leave a Reply


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>