Auditing Windows 7 Registry Keys to track the traces left out in copying files from system to external USB Device Abhijeet Ramani, Somesh Kumar Dewangan Department of Computer Science and Engineering, CSVTU University, Bhilai Chhattisgarh Disha Institute of Management and Technology, Raipur, Chhattisgarh, India Abstract— Today in the world of big data, information is critical and corporate professional firms are adopting the digital forensic technique for detecting the action timeline of the activities carried out. Digital forensics is an important subdivision of data and network security. With the increase in technology, attacks on data are also increasing. It is very difficult to cultivate the methods for maintaining the CIA (Confidentiality, Integrity & Authenticity) security principles. In this paper, we describe the importance of the study on computer & digital forensics. This work aims to point out the importance of windows forensic analysis to extract and identify the hidden information which shall act as an evidence tool to track the copying of data into external flash drives, such as an USB storage device. Windows registry forensic keys can be applied in carrying the investigation process. For the sake of simplicity, there will only be the reference to the windows 7 operating system. Our main focus will be on to track the identification of files that might have been copied into external USB mass drives in the absence of the legitimate user. Also, we will also see that if certain registry key values are modified then the functionality behaves differently. This paper will briefly introduce the windows 7 registry structure which is very useful for the forensics expert to carry out digital forensic analysis. Keywords—Windows Registry, Windows 7 Forensic Analysis, Windows Registry Structure, Analysing Registry Key, Tracking Copying of data from system to USB. I. INTRODUCTION Few months back, while installing SQLSERVER 2008, a message was found-“Windows Restart Required”. After restarting, the same message was found again. The things were really getting very tedious. What to do?? After Continuous hunting for the solution, finally a method was obtained. It shown the resolving of the error can be done by erasing some data from windows registry keys- “Pending File Operations”. After erasing, the setup was run again under the option “Re-run” and it was really wonderful to see that now the installation process was not asking for Re- start. It was something made to think how really the things have worked. What actually is the Windows Registry? What functionality it does? What are the attributes of Windows Registry? This paper is all about the research carried out to know windows registry in depth. Can forensic methods be applied on windows registry, for discovering the hidden information? According to Microsoft Knowledge Base (KB) article 256986 [3], the Windows Registry is a “Central Hierarchal database” intended to store information that is necessary to configure the system for one or more users, applications, and hardware devices. In brief, windows registry analysis can run across a variety of processes & activities, for extracting various key and transforming it into a meaningful evidence to trace the user, system, application & network timeline using forensic study. In this paper we have discussed about the forensic analysis on Windows 7 Registry. We begin by stating the work done by various researchers in section II, and will be discussing about the revolutionized change that has been there in the field of forensic investigations. In the section III we will be discussing the basics of Windows Registry and will go through the algorithm for tracking the data transfer from system to USB device. After this, the discussion will be on result obtained followed by conclusion & future scope. II. RELATED WORK Over the past several years, with computer crimes on the rise, it is becoming extremely crucial for law enforcement officers and digital forensic examiners to understand computer systems and be able to examine them efficiently and effectively. During the last fifteen years or so, computers have revolutionized the work place. Information and critical data needed by the workers are stored into computers. The operating system allows imposing various security techniques and group policies to maintain the CIA (Confidentiality, Integrity & Authenticity) security principles. However, regardless of the policies and rules it’s not easy to persist with the CIA principles. Researchers are coming with new ideas to protect the critical data. One such technique “Forensic Analysis of the Windows Registry” has emerged and is becoming a burning topic in the field of network and information security. An Ample of information was analyzed by Carvey [1] on applying digital forensic analysis of the windows registry. Carvey has focused on the windows registry structure and suggested the methods- Live analysis and forensic analysis. Farmer [2] has introduced the Microsoft Windows Registry database and explained how critically important a registry Abhijeet Ramani et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (2) , 2014,1045-1052 www.ijcsit.com 1045