Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


The recovery of digital evidence of crimes from storage media is an increasingly time consuming process as the capacity of the storage media is in a state of constant growth. It is also a difficult and complex task for the forensic investigator to analyse all of the locations in the storage media. These two factors, when combined, may result in a delay in bringing a case to court. The concept of this paper is to start the initial forensic analysis of the storage media in locations that are most likely to contain digital evidence, the Windows Registry. Consequently, the forensic analysis process and the recovery of digital evidence may take less time than would otherwise be required. In this paper, the Registry structure of Windows 7 is discussed together with several elements of information within the Registry of Windows 7 that may be valuable to a forensic investigator. These elements were categorized into five groups which are system, application, networks, attached devices and the history lists. We have discussed the values of identified elements to a forensic investigator. Also, a tool was implemented to perform the function of extracting these elements and presents them in usable form to a forensics investigator.


(November 2009). An on the Scene Reference for First Responders. The National Institute of Justice.

Carvey, H., & Kleiman, D. (2007). Windows Forensic Analysis. Syngress Publishing.

Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7. (2010, February 12). Retrieved August 5, 2010, from securitybananas.com: http://securitybananas.com/?p=225

Dwyer, P. c. (2010, March 19). Cyber Crime in the middle east.

Farmer, D. J. (2008). A Windows Registry Quick-Reference.

Forrest, P., Denham, D., Prevost, S., & Klein, T. (2010, October 29). Starup Application list. Retrieved November 1, 2010, from SYSINFO: http://www.sysinfo.org/startuplist.php

Honeycutt, J. (2005). Microsoft Windows Registry Guide. Microsoft Press.

Kokoreva, O. (2002). Windows XP Registry. A-LIST.

Michael Solomon, D. B. (2005). Computer Forensics, jump start. SYBEX.

Microsoft Computer Dictionary. (2002).Microsoft Press.

MSN:P2P/Msnobj Description. (2009, June 22). Retrieved June 22, 2010, from OpenIM wiki: http://imfreedom.org/wiki/MSN:P2P/Msnobj_Description

RegistryKey Methods. (n.d.). Retrieved August 21, 2010, from MSDN: http://msdn.microsoft.com/enus/library/microsoft.win32.registrykey_methods.aspx

Solomon, M., Barrett, D., & Broom, N. (2005). In Computer Forensics JumpStart (pp. 73-155). SYBEX.

Thomas, P., & Marris, A. (2008). An Investigation into Development of AntiForensic Tool to Obscure USB Flash Drive Device Information on a Windows XP Platform. Third International Annual Workshop on Digital Forensics and Incident Analysis (pp. 60-66). IEEE.

Vacca, J. R. (2010). Computer Forensic, computer crime scene investigation. Charles River Media.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.