The Association of Digital Forensics, Security and Law (ADFSL)


The extraction of the user activity is one of the main goals in the analysis of digital evidence. In this paper we present a methodology for extracting this activity by comparing multiple Restore Points found in the Windows XP operating system. The registry copies represent a snapshot of the state of the system at a certain point in time. Differences between them can reveal user activity from one instant to another. The algorithms for comparing the hives and interpreting the results are of high complexity. We develop an approach that takes into account the nature of the investigation and the characteristics of the hives to reduce the complexity of the comparison and result interpretation processes. The approach concentrates on hives that present higher activity and highlights only those differences that are relevant to the investigation. The approach is implemented as a software tool that is able to compare any set of offline hives and categorise the results according to the user needs. The categorisation of the results, in terms of activity will help the investigator in interpreting the results. In this paper we present a general concept of result categorisation to prove its efficiency on Windows XP, but these can be adapted to any Windows versions including the latest versions.


Bunting, S. (2008) University of Delaware Police Computer Forensics Lab. Restore Point Forensics. URL, Accessed Mar 2009.

Carvey, H. (2005). “The Windows Registry as a Forensic Resource”. Digital Investigation, 2(3), pp201-205

Carvey, H. (2006). “Restore Point Forensics”. URL http://windowsir.blogspot.com/2006/10/restore-point-forensics.html, Accessed Mar 2009.

Carvey, H. (2007). “Registry Analysis”, in Windows Forensic Analysis DVD Toolkit. Syngress Press, pp125-189 DameWare (Ver6.0). (2008)

Dame Ware Development. URL http://www.dameware.com. Accessed: Mar 2009.

Encase (Ver6.8) (2008) Guidance Software Digital Investigations URL http://www.guidancesoftware.com/. Accessed Mar 2009.

ForensicMatter (2008). Forensicmatter.com: Registry Hives. Available at URL http://www.forensicsmatter.com/registry_hives.php. Accessed Mar 2009.

FTK (Ver1.62.1) (2008) Access Data, URL http://www.accessdata.com/. Accessed Mar 2009.

Harms, K. (2006). “Forensic Analysis of System Restore Points in Microsoft Windows XP”. Digital Investigation, 3(3), pp151-158

Honeycutt, J. (2002) Microsoft Windows XP Registry Guide. Microsoft Press

Microsoft (2007). “Monitored File Extensions”. URL http://msdn.microsoft.com/en-us/library/aa378870(VS.85).aspx. Accessed Mar 2009.

Microsoft (2008). “How to use WinDiff to Compare Registry Files”. URL http://support.microsoft.com/kb/171780. Accessed Mar 2009.

Morgan, T.D. (2008) “Recovering Deleted Data from the Windows Registry”. Proceedings of Digital Forensic Research Workshop 2008, pp33-42

RegDiff (Ver3.3). Available at URL http://p-nandq.com/download/regdiff.html. Accessed Mar 2009.

Russinovich, M. (2008) “Inside the registry”. URL http://technet.microsoft.com/en-gb/library/cc750583.aspx. Accessed Mar 2009

Y. Kim et al (2008) “Suspects' Data Hiding at Remaining Registry Values of Uninstalled Programs”. Proc. Of The 1st Int. Conference on Forensic Applications And Techniques In Telecommunications, Information, And Multimedia And Workshop, 2008.

WinDiff (Ver5.1) (2001). Microsoft, Available at URL http://www.grigsoft.com/download-windiff.htm. Accessed Mar 2009




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.