1st International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia

Research Article

Suspects' data hiding at remaining registry values of uninstalled programs

  • @INPROCEEDINGS{10.4108/e-forensics.2008.33,
        author={Youngsoo  Kim and Sangsu  Lee and Dowon  Hong},
        title={Suspects' data hiding at remaining registry values of uninstalled programs},
        proceedings={1st International ICST Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia},
        publisher={ACM},
        proceedings_a={E-FORENSICS},
        year={2010},
        month={5},
        keywords={Digital Forensics Windows Registry Data hiding},
        doi={10.4108/e-forensics.2008.33}
    }
    
  • Youngsoo Kim
    Sangsu Lee
    Dowon Hong
    Year: 2010
    Suspects' data hiding at remaining registry values of uninstalled programs
    E-FORENSICS
    ACM
    DOI: 10.4108/e-forensics.2008.33
Youngsoo Kim1,*, Sangsu Lee2,*, Dowon Hong3,*
  • 1: ETRI, 161 Gajeong-dong, Yuseong-gu, Daejeon, KOREA. +82-42-860-5856
  • 2: ETRI, 161 Gajeong-dong, Yuseong-gu, Daejeon, KOREA. +82-42-860-1613
  • 3: ETRI, 161 Gajeong-dong, Yuseong-gu, Daejeon, KOREA. +82-42-860-6147
*Contact email: blitzkrieg@etri.re.kr, sangsu@etri.re.kr, dwhong@etri.re.kr

Abstract

Windows registry, a central repository for configuration data, should be investigated for obtaining forensic evidences, since it contains lots of information that are of potential evidential value. Using some forensic tools, forensic examiners can investigate values of windows registry and get information can be forensic evidences. However, since windows registry contains huge amount of values and these values can be modified by users, suspect can hide his secret like password in registry values. Specially, remaining registry values not removed after uninstalling specific programs can be the best target to hide a suspect's secret without forensic examiners' notice, since generally they are not interested in registry values of removed programs, but which programs were removed. In this paper, we briefly extract some registry entries related to forensic analysis based on Windows XP and list up consideration items for hiding secrets in registry as suspect's viewpoint. And then we show that countermeasures are needed, examining remainder of registry values for specific programs uninstalled.