JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2016, Vol. 51 ›› Issue (9): 127-136.doi: 10.6040/j.issn.1671-9352.2.2015.140

Previous Articles     Next Articles

A forensic analysis algorithm of registry reverse reconstruction based on physical memory

GAO Yuan-zhao1,2, LI Bing-long1,2*, WU Xi-xi1,2   

  1. 1. College Four of the PLA Information Engineering University, Zhengzhou 450001, Henan, China;
    2. State Key Laboratory of Digital Engineering and Advanced Computing, Zhengzhou 450001, Henan, China
  • Received:2015-09-21 Online:2016-09-20 Published:2016-09-23

PDF (PC)

603

Abstract: The reconstruction and analysis of the registry is one of the most important and difficult aspects of the Windows physical memory forensics. By analyzing the logical structure of the registry files in the hard disk and exploring the data structure features of the registry in the physical memory based on the Windows debugging tools, we proposed a clear and definite method to locate the registry physical addresses in the memory. Furthermore, by analyzing the tree-structured relationship between the entries of the registry, we designed a registry reconstruction algorithm and implemented a dendrogram visualization algorithm for the reconstructed registry based on Graphviz. The results of the experiment show that we can reconstruct of the names and values of the registry entries, retrieve the virus in the system based on the information we got, and finally display the process and results of the virus infection via the registry visualization.

Key words: registry forensics, reverse analysis, virus detection, visualization, physical memory

CLC Number: 

  • TP311
[1] AGHAEIKHEIRABADY M, FARSHCHI S M R, SHIRAZI H. A new approach to malware detection by comparative analysis of data structures in a memory image[C] // Proceedings of 2014 International Congress on Technology, Communication and Knowledge(ICTCK). Piscataway: IEEE, 2015: 1-4.
[2] RAMANI A, DEWANGAN S K. Digital forensic identification, collection, examination and decoding of windows registry keys for discovering user activities patterns [J]. International Journal of Computer Trends and Technology, 2014, 17(2):101-111.
[3] MESHRAM M G, KAPGATE D. Investigating the artifacts using windows registry and log files[J]. International Journal of Computer Science and Mobile Computing, 2015, 4:625-631.
[4] CARVEY H. The Windows registry as a forensic resource[J]. Digital Investigation, 2005, 2(3):201-205.
[5] SAIDI R M, AHMAD S, NOOR N M, et al. Windows registry analysis for forensic investigation[C] //Proceedings of 2013 International Conference on Technological Advances in Electrical, Electronics and Computer Engineering. New York: IEEE, 2013: 132-136.
[6] ROSE M. The forensic artifacts of Barracuda Networks cloud storage service [D]. Utica: Utica College, 2014.
[7] TANG Z, DING H, XU M, et al. Carving the windows registry files based on the internal structure [C] //Proceedings of the 1st International Conference on Information Science and Engineering(ICISE 2009). Piscataway: IEEE, 2009: 4788-4791.
[8] PAWAR P, KULKARNI P S. Security for windows registry using carving[J]. International Journal of Scientific and Research Publications, 2013, 3(4):786-788.
[9] ELLSON J, GANSNER E, KOUTSOFIOS L, et al. Graphviz—open source graph drawing tools[C] //Proceedings of the 9th International Symposium on Graph Drawing(GD 2001). Heidelberger: Springer-Verlag Berlin, 2002: 483-484.
[10] LEUBE C, KRÖGER K, CREUTZBURG R. Implementation of a forensic tool to examine the windows registry[C] //Proceedings of SPIE-The International Society for Optical Engineering. SPIE, 2014, 9030(2):271-283.
[11] ZHANG S, WANG L, ZHANG L. Extracting windows registry information from physical memory[C] //Proceedings of International Conference on Computer Research and Development(ICCRD). New York: IEEE, 2011: 85-89.
[12] DOLAN-GAVITT B. Forensic analysis of the windows registry in memory[J]. Digital Investigation, 2008, 5:S26-S32.
[13] GANSNER E R. Using graphviz as a library(cgraph version)[EB/OL]. [2015-03-15]. http://www.graphviz.org/doc/libguide/libguide.pdf.
[14] NETMARKETSHARE. Desktop operating system market share[EB/OL]. [2015-03-05]. http://www.netmarketshare.com/operating-system-market-share.aspx.
[1] YANG Shu-mian, WANG Lian-hai, ZHANG Shu-hui, XU Shu-jiang, LIU Guang-qi. A real-time monitoring and forensics method under the IaaS model [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 84-91.
[2] WU Di, WANG Li-na, YU Rong-wei, ZHANG Xin, XU Lai. Multidimensional data visualization in cloud platform security monitoring [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2017, 52(6): 56-63.
[3] ZHANG Cong, FANG Ding-yi, WANG Huai-jun, QI Sheng-de. A software protection method base on concealment of API security attributes [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2015, 50(01): 12-19.
[4] GAO Wei1, GAO Hong-xia2, HE Jing1. Research on function model of OS trusted mechanism [J]. J4, 2012, 47(9): 26-31.
[5] SU Wei1, SHEN Long-bin1,2, LIU Wei-bo3, SHAN Xiu-hui4. The study and implement of visualization  technology of reserve information [J]. J4, 2010, 45(11): 12-15.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
Copyright 2018 © Editorial office of JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
Supported by Beijing Magtech Co.Ltd