Thursday, September 08, 2005

The Windows Registry as a Forensic Resource

The subject article is now online at ScienceDirect. I wrote this article back in July. In the article, I walk through some of the basics of the Registry and its structure, and then get into where the investigator can look in the Registry for certain information that may help with a case.

Besides addressing autostart locations, the article also discusses Registry entries that pertain to USB removable storage devices and the key/values that contain information on wireless SSIDs that the system has connected to.

Comments are welcome and appreciated.

5 comments:

Anonymous said...

Harlan,
Science direct and digital investigation aren't available to the public. It's not a free journal so a lot of people won't be able to read your article. Is there any way you can make it available elsewhere?

H. Carvey said...

Hogfly,

Are your unable to reach the article? I don't have any kind of account to log into the Science Direct site...are you unable to reach it?

Anonymous said...

I get this message:
The article from Digital Investigation is not included in your institution's subscription. You may be able to access this article using your institution's agreement with ScienceDirect by clicking the continue button.

I click continue. and I get this:
Error 500:

and that's it. I'll try it from a different netblock later.

Anonymous said...

I had a friend try it, and it said they had to pay $30 for it.

H. Carvey said...

That's odd...I can get it from work, as well as from home, no trouble. Different browsers, flushed cache, etc...it all works fine.

I'll see what I can do to locate the article on my hard drive, and post it.