IJSRP, Volume 3, Issue 4, April 2013 Edition [ISSN 2250-3153]
Pragati Pawar, Prof. P.S. Kulkarni
Abstract:
This paper describes the Windows registry which stores a lot of system information and can also be used as forensic evidence. Many researchers have worked to know how the information is stored in the registry, but carving the registry files from the raw disk is not described. Till now the researchers performed the researches on how the registry files are carved when each block is not fragmented using the internal structure of registry file. It is also based on the internal structure of registry files, but in this paper, the fragmentation is performed on the multiple HBIN blocks instead of two HBIN blocks. It also recovers the Windows registry files using back up when the file system is crashed or damaged. The carving technique is used which is more effective and accurate for Windows registry files.