USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
SP 800-86. Guide to Integrating Forensic Techniques into Incident Response
SP 800-86. Guide to Integrating Forensic Techniques into Incident Response
The VAD tree: A process-eye view of physical memory
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Searching for processes and threads in Microsoft Windows memory dumps
Digital Investigation: The International Journal of Digital Forensics & Incident Response
The Windows Registry as a forensic resource
Digital Investigation: The International Journal of Digital Forensics & Incident Response
FAUST: Forensic artifacts of uninstalled steganography tools
Digital Investigation: The International Journal of Digital Forensics & Incident Response
| Hi-index | 0.00 |
This paper describes the structure of the Windows registry as it is stored in physical memory. We present tools and techniques that can be used to extract this data directly from memory dumps. We also provide guidelines to aid investigators and experimentally demonstrate the value of our techniques. Finally, we describe a compelling attack that modifies the cached version of the registry without altering the on-disk version. While this attack would be undetectable with conventional on-disk registry analysis techniques, we demonstrate that such malicious modifications are easily detectable by examining memory.