Windows Registry Forensics: An Imperative Step in Tracking Data Theft via USB Devices Tanushree Roy, Aruna Jain Department of I.T. Birla Institute of Technology, Mesra, Ranchi, India Abstract— Owing to the increasing pace of occurrence of crimes in digital world, cyber forensic investigation is becoming a burning topic in the field of information security. Registry is an important location in Windows system that contains footprints of user activities and other configuration data, which may be valuable for forensic investigators in collecting potential evidences from the system. This work aims to point out the significance of Registry Analysis, and attempts to answer why it should be carried as a part of digital forensic investigation by demonstrating the role played by Registry in tracking data theft from system to USB external devices. Keywords— Forensics Analysis, Registry Analysis, Tracking Data Theft, USB footprints, Windows Forensics. I. INTRODUCTION In the recent years, with the development of Information and Communication Technology (ICT) and rise in Internet usage, society’s dependence upon computers is increasing rapidly. With this growth of technology, the world is also seeing a substantial rise in the abuse of various kinds conducted with, through or by technology. According to the Norton Cyber Crime report-2011 by Symantec Corporation [9], about 1 million cyber crimes are occurring every day across the globe. According to the report, the total number of victims in India is 29.9 million, which is approx. 80% of the online adults. The reason for this increasing abuse is attributed to the still-to-be-mature existing security procedures and the reluctance persistent among users in employing security methods as an integral part of the whole system. As a result, cyber crimes are increasing and, cyber criminals are growing in sophistication as technology acts as a boon for them too. Thus, it becomes exceptionally critical for the law enforcement officers and incident responders to understand computer systems and be able to examine them effectively and efficiently. Cyber forensics is the branch of science that acts as a tool for the investigators for investigating a computer system or network alleged of being involved in criminal activity and, gathering artifacts that may be used as evidence in the case and presented in the court of law. Due to its effective GUI and ease of use, Microsoft Windows is one of the most popular operating system and, is; unfortunately the most attacked one too. As windows source code is unavailable, forensic analysis of windows systems becomes a challenging task for the investigators. Registry is one of the areas in a Windows system where evidences can be found. This work aims to point out the importance of Registry Analysis process carried in Windows Systems as a part of digital forensic investigation in today’s scenario. An offline registry parser developed as a part of this work will be used to generate registry keys from registry hives, extracted from the hard disk as a part of postmortem analysis. In this Information age, ownership of intellectual property is very precious and prized. Theft of intellectual property is one of major issues of concern, which can become a trouble not only for an individual, but for a whole organization. USB ports, as well as other ports that permits one to attach a removable storage device, can act as a promising means to steal classified information. Any user with a removable USB drive can attach the device to the system and copy critical information. In this paper we have discussed how by means of a careful investigation of the Registry files, data transfer to USB devices be identified. We begin by stating the work done by various researchers in section 2, and explain the structure of the Windows Registry and how Registry tree structure is parsed from the hive file in an offline mode in section 3. In section 4 we will briefly discuss the footprints left on the system and Registry when a USB device is connected. We finally show how to proceed in a case involving data transfer from system to USB through Registry analysis. II. RELATED WORK During the past years, it has turn out to be absolutely lucid that Registry in Windows systems contains ample amount of information for the use of incident responders and forensic analysts alike. A great deal of information on how to interpret various Registry data and settings have been provided by Carvey [1], Wong [13] and Farmer [4]. As illustrated by Carvey, “Registry data consists of a wealth of information that the investigator can make use of to make up his case”. Kim, et. al. [6] has listed some registry keys that an investigator must check during an investigation. Chang, et. al. [2] has shown how to proceed in an investigation involving Windows systems, and listed some of the registry areas that need attention in the preliminary stages. Additional areas vital from a forensic viewpoint apart from Registry in Windows systems have been noted by Dashora, et. al. [3], such as event logs, RAM, Pagefile, slack space, etc. Manchanda, et. al. [7] have illustrated how the last-write times associated with every Registry key can be useful in generating a forensic timeline of the events that has occurred in a system. Documentation regarding the Registry internal structure has been provided in detail by Russinovich [10]. Morgan [8] provided a comprehensive description of the Registry’s internal data structures and format that is helpful in generating the registry tree from hive files. Tanushree Roy et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (3) , 2012, 4427- 4433 4427