financial, espionage, grudge, and fun. The Microsoft Windows is the most popular
operating system due to its user friendly GUI and ease of use, this has caused more
frequent attacks on it. The attacker of the computer system performs various activities on
it such as software installation, device connections, putting a malicious code, accessing
documents and programs, network connections. The digital forensic investigation is
performed to locate and extract the digital evidence of the user activities on the system.
The registry is a wealth of information for both the administrator and the forensic
investigator. As per the Microsoft (2013), the registry is a hierarchical database, which
can be described as a central repository for configuration data or as a configuration
database. Beside from being a central place to store settings, the registry by its very
nature allows complex relationships among different parts of Windows, applications, and
the user interface. A comparative study of some of the features introduced in the
subsequent version of the Windows operating system and their associated keys in the
registry are listed in Table 1.
The malicious insider within an organisation might steal the information for personal
gain or to benefit another organisation, damage the computer system for the personal
vendetta. As per Ganesh and Sambit (2014), malicious insiders can be current or former
employees, contractors or business partners that gain access to an organisations network,
system or data and release this information without permission by the organisation. The
Windows Registry maintains the digital evidence of the various user activities on the
system. By performing the digital forensic investigation of the registry, the potential
evidence of the crime, the timing of the crime is obtained. On analysing this evidence, the
suspect is identified. But the process of searching the registry through regedit.exe or
regedit32.exe consumes lots of time since the examiner is needed to search the entire
registry in order to find out the meaningful forensic information. As discussed by Carvey
(2005), knowing what information is available and where the information can be found
can lead the investigator to develop a more comprehensive picture of the case. Therefore,
there is the need of an evidence collection and analysis methodology which can extract
the required information from the Windows registry along with the timeline and provide
them to the forensic examiner in a presentable manner. The information thus extracted is
helpful in identifying the malicious insider. The expert user on accessing the system may
modify or delete the information in the registry to avoid from being caught this raises the
need to identify if any changes to the registry has been caused by the user. A study on the
available existing tools which extract forensic data from the registry has been performed.
A new standalone, portable tool has been proposed which overcomes the limitations in
the existing tools. The paper contributes towards a framework for the proposed tool to
identify the malicious activity of the user on the system. The framework includes the
improved evidence collection and analysis methodology to extract and analysis the digital
evidence about the potential malicious insider from the registry. This paper is organised
as follows: a study of the existing research and the tools which extract the forensic
information’s from the registry has been performed in Section 2. A new evidence
collection and analysis methodology implemented in the proposed tool to extract forensic
evidence from the registry is discussed in Section 3.