Forensics visualization of Windows 10 registry

The increase with the volume of data created in digital devices has make the process of evidences analysis become difficult especially for forensic investigator. In addition, most of the existing forensic tools nowadays not all able to provide good visualization of registry information. Some of tools only able to provide the list of data but not the actual information that needed by forensic investigator. For example, Registry Viewer product of Forensic Toolkit (FTK) can display all the content of registry file but not all of the data can be view as it in hexadecimal. RegRipper tool also only provides the information of registry file in a textual result. The functions in these forensic tools not suitable if handling large number of data. Moreover, it will only cause mental fatigue for investigator if there is more than one computer they need to analyse. In this paper, a visualization forensics tool is proposed to help making the forensic analysis process become easy and faster. Proposed tool will cover the functions that the existing forensics tools do not have, especially in the visualization part. It is developed to cater for the Windows forensics in the analysis of registry hive files. Moreover, proposed tool trusted able to provide single representation of all registry hive files in one page.

Text FSKTM 2019 31 IR.pdf Download (1MB)

Actions (login required)

View Item