The Association of Digital Forensics, Security and Law (ADFSL)


Recently, it has been shown that deleted entries of the Microsoft Windows registry (keys) may still reside in the system files once the entries have been deleted from the active database. Investigating the complete keys in context may be extremely important from both a Forensic Investigation point of view and a legal point of view where a lack of context can bring doubt to an argument. In this paper we formalise the registry behaviour and show how a retrieved value may not maintain a relation to the part of the registry it belonged to and hence lose that context. We define registry orphans and elaborate on how they can be created inadvertently during software uninstallation and other system processes. We analyse the orphans and attempt to reconstruct them automatically. We adopt a data mining approach and introduce a set of attributes that can be applied by the forensic investigator to match values to their parents. The heuristics are encoded in a Decision Tree that can discriminate between keys and select those which most likely owned a particular orphan value.


Carvey, H. (2005) “The Windows Registry as a forensic resource”, Digital Investigation, Vol 2 (Issue 3) p201–205, 2005.

B. D. (2009) ‘Registry File Format’, http://home.eunet.no/pnordahl/ntpasswd/WinReg.txt. visited Feb 2009.

Farmer, D.J. and Burlington V. (2009) ‘A Forensic Analysis of the Windows Registry’, http://eptuners.com/forensics/Registry_Forensics.pdf, visited Jan 2009.

Han, J. and Kamber, M. (2006) ‘Data Mining: Concepts and Techniques’, Morgan Kaufmann, 2nd edition, 2006.

Hargreaves, C. et al. (2008), “Windows Vista and Digital Investigations”, Digital Investigation, Vol 5 (Issue 1), p34 – 48, 2008.

Honeycutt, J. (2002) ‘Microsoft Windows XP Registry Guide’, Microsoft Press, 2002.

JavaCoolSoftware. (2009) ‘MRU-Blaster’, http://www.javacoolsoftware.com/mrudownload.html, visited Jan 2009.

Kahvedžić, D. and Kechadi, T. (2008). ‘Extraction of User Activity through Comparison of Windows Restore Points’, SECAU08, 6th Australian Digital Forensics Conference, Dec 2008, Perth, Australia.

Kahvedžić, D. and Kechadi, T. (2008)ii. “Extraction and Catagorisation of User Activity from Windows Restore Points”, JDFSL: Journal of Digital Forensics, Security and Law, Vol4 (Issue4) (to be published).

Kahvedžić, D. and Kechadi, T. (2009). ‘On the Persistence of Deleted Windows Registry Data Structures’, 24th Annual ACM Symposium on Applied Computing, March 2009, Hawaii, USA.

Morgan, T. D. (2008) ‘Recovering Deleted Data From the Windows Registry’, Digital Forensic Research Workshop, Aug 2008, Baltimore, USA.

RealNetworks. (2009). ‘Real Player 11 Basic’, http://europe.real.com/player/win/. visited Jan 2009.

Registry Hives. (2008) ‘Forensicmatter.com: Registry Hives’, http://www.forensicsmatter.com/registry hives.php, visited Feb 2009.

Rubenking. N. J. (2009) ‘Unclean 2’, http://www.pcmag.com/article2/0,1759,1159867,00.asp. visited Jan 2009.

Russinovich. M. (2009) ‘Inside the registry’, http://technet.microsoft.com/engb/library/cc750583.aspx. visited Jan 2009.

SWGDE (2009), ‘Technical Notes on Microsoft Vista (submitted for review)’, Scientific Working Group on Digital Evidence, Journal of Digital Forensics, Security and Law, Vol. 4(2) 56 http://www.swgde.org/documents.html, visited Feb 2009.

Wong, L. W. (2009) ‘Forensic Analysis of the Windows Registry’, http://www.forensicfocus.com/forensic-analysis-windows-registry, visited Jan 2009.




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.