Windows Registry Forensics Tool

  • Khawla Alghafli

Student thesis: Master's Thesis


The recovery of digital evidence of computer crimes from storage media is a time consuming process as the capacity of storage media is in constant growth. Also it is a difficult and complex task if the forensics investigator tries to analyze all of the locations in the storage media. Thus, it may lead to delays in prosecution of suspects in the court. The idea of this project is to limit the forensics analysis of storage media to locations that are most likely to contain some digital evidence. Consequently, the forensic analysis process and recovery of digital evidence will require less time than usually required and there will be no subsequent delay in the prosecution process in the court because the forensics investigator is still analyzing the digital media. The forensics analysis and the recovery of digital evidence in this project are limited to the locations that contain Windows Registry files. The aim of this project is to identify elements within Windows Registry that would be valuable to forensics investigators, and then to develop a forensics tool to extract these elements.
Date of AwardSep 2010
Original languageAmerican English
SupervisorAndrew Jones (Supervisor)


  • Windows; Registry; Investigation; Forensics Analysis; Digital Media.

Cite this