Carving the Windows Registry Files Based on the Internal Structure

The Windows registry stores a lot of system information which can be used as forensic evidence. Numerous researchers have worked to interpret the information stored in the registry, but no definitive resource is yet available which describes how to carve the registry files from the raw disk. In this paper, a carving algorithm for the registry files based on the registry file internal structure is described. The carving method can recover the Windows registry files, and the file directory metadata is not available, even if the registry files are fragmented between two HBIN blocks. The experiments demonstrate that our method is effective for carving the Windows registry files with more accuracy than other file carving techniques.