Temporal Analysis of Windows MRU Registry Keys

  • Yuandong Zhu
  • Pavel Gladyshev
  • Joshua James
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 306)


The Microsoft Windows registry is an important resource in digital forensic investigations. It contains information about operating system configuration, installed software and user activity. Several researchers have focused on the forensic analysis of the Windows registry, but a robust method for associating past events with registry data values extracted from Windows restore points is not yet available. This paper proposes a novel algorithm for analyzing the most recently used (MRU) keys found in consecutive snapshots of the Windows registry. The algorithm compares two snapshots of the same MRU key and identifies data values within the key that have been updated in the period between the two snapshots. User activities associated with the newly updated data values can be assumed to have occurred during the period between the two snapshots.


MRU registry keys restore points registry snapshots 


  1. 1.
    H. Carvey, The Windows registry as a forensic resource, Digital Investigation, vol. 2(3), pp. 201–205, 2005.CrossRefGoogle Scholar
  2. 2.
    H. Carvey, Windows Forensic Analysis, Syngress, Burlington, Massachusetts, 2007.Google Scholar
  3. 3.
    B. Harder, Microsoft Windows XP system restore, Microsoft Corporation, Redmond, Washington ( rary/ms997627.aspx), 2001.Google Scholar
  4. 4.
    K. Harms, Forensic analysis of system restore points in Microsoft Windows XP, Digital Investigation, vol. 3(3), pp. 151–158, 2006.CrossRefGoogle Scholar
  5. 5.
    J. Holderness, MRU lists (Windows 95) ( Valley/4942/mrulist.html), 1998.Google Scholar
  6. 6.
    E. Kohl and J. Schmied, comctl32undoc.c, Wine Cross Reference (, 2000.Google Scholar
  7. 7.
    V. Mee, T. Tryfonas and I. Sutherland, The Windows registry as a forensic artifact: Illustrating evidence collection for Internet usage, Digital Investigation, vol. 3(3), pp. 166–173, 2006.CrossRefGoogle Scholar
  8. 8.
    Microsoft Corporation, Windows registry information for advanced users, Redmond, Washington (, 2008.Google Scholar
  9. 9.
    B. Sheldon, Forensic analysis of Windows systems, in Handbook of Computer Crime Investigation: Forensic Tools and Technology, E. Casey (Ed.), Academic Press, London, United Kingdom, pp. 133–166, 2002.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Yuandong Zhu
  • Pavel Gladyshev
  • Joshua James

There are no affiliations available

Personalised recommendations