Windows 7 Registry Forensics: Part 2

By Article Posted: December 14, 2011
Printer Friendly Forward to a Friend Share this

Windows 7 Registry ForensicsSystem Restore and Restore Points
Many forensic examiners are not familiar with the Registry or its forensic importance. One way to gain first-hand knowledge is to explore the Registry on a live, non-forensic computer. However, before doing so, a word of caution is in order. Any changes made to the Registry, either intentionally or accidentally, could have an effect on the computer’s functionality. Therefore, it is recommended that a Restore Point be created before exploration begins. System Restore, which is used by Windows to regularly create and save Restore Points, can be used to manually create a current Restore Point. It is important to note that System Restore does not back-up nor recover personal files. Rather its function is to create Restore Points which are back-ups of the Registry, most drivers, and system files with certain extensions such as .exe, .dll, etc. The following steps can be taken to create a Restore Point:

  • Click the “Start” button. Right-click on “Computer” and then click “Properties.”
  • In the left pane under “Control Panel Home” click on “System Protection.”
  • When the “System Properties” dialog box appears, click on the “System Protection” tab.
  • Click on “Create.” The “Create a Restore Point” dialog box appears. Enter a name for the Restore Point and click “Create.” After the Restore Point has been created, close the dialog boxes.

Restore Points are extremely beneficial because they can restore a computer to an earlier point in time. This becomes particularly important when a computer does not function correctly after a new application, updated software, or a driver has been installed. Uninstalling the previously installed software often corrects the problem, however in some instances links or pieces can still remain scattered in different locations and continue to affect the computer’s functionality. When this occurs, it becomes necessary to restore the computer to an earlier point when it was functioning correctly. The following steps can be taken to restore a computer:

  • Click the “Start” button. Right-click on “Computer” and then click “Properties.”
  • In the left pane under “Control Panel Home” click on “System Protection.”
  • When the “System Properties” dialog box appears, click on the “System Protection” tab.
  • Click on “System Restore.” In the “System Restore” dialog box click “Next.” Select a Restore Point and then click “Next.”
  • Confirm the Restore Point, and then click “Finish.” This should restore the selected Windows 7 configuration and then restart the computer.
  • Log on to the computer and when the “System Restore” confirmation page appears, click “OK.”

Restore Points themselves can be of forensic importance because they represent snapshots of a computer’s Registry and system files. For instance, presume that a User creates a Restore Point, installs hacking software on his computer, hacks into a remote system to perform a malicious act, and then restores his computer to its previous state. Evidence of the hacking software installation would not be found in the current mounted Registry but would still be present in the Registry within a specific Restore Point. This is due to the fact that when System Restore is used, before reverting back to the selected Restore Point, System Restore creates another Restore Point which captures a current snapshot of the system. This Restore Point would contain the Registry information as it existed at the time of the malicious act.

Related Topics: Digital Forensics Digital Forensics Consulting Digital Forensics Software Digital Forensic Insider December 2011/January 2012
Related Articles