Abstract
This paper provides a thorough analysis of the storage structure of hive files and then proposes a new method for processing hive files independently of the Windows registry API and for achieving direct access. The method has the advantages of high priority and of preserving the computing environment. In particular, it is suitable for occasions when the hive files of the target operating system cannot be copied or directly loaded. This paper also presents a set of algorithms for key operations associated with hive files such as access, deletion, creation, and expansion. These operations are designed to be independent of the Windows API. Third-party developers can develop other specialized applications on the basis of this set of algorithms. A complete hivedit program to carry out the operations described above has been implemented. This program can be executed before loading the operating system with the assistance of the ECM-XDP3 emulator, and the correctness of all the algorithms has been verified.
Similar content being viewed by others
References
Mbatha, M.P.: Windows registry forensic artifacts. University of Nairobi, School of Computing and Informatics, Shellbags for Computer Security. College of Biological and Physical Sciences (2016)
Kaur, R., Chadha, R.: Comparative analysis of various file formats in HIVE. Int. J. Technol. Comput. 3(6), 135–139 (2017)
Ramani, A., Dewangan, S.K.: Digital forensic identification, collection, examination and decoding of windows registry keys for discovering user activities patterns. Int. J. Comput. Trends Technol. 17(2), 101–111 (2014)
Ravi, C., Manoharan, R.: Malware detection using windows API sequence and machine learning. Int. J. Comput. Appl. 43(17), 12–16 (2012)
Luttgens, J.T., Pepe, M., Mandia, K.: Incident Response & Computer Forensics. McGraw-Hill Education Group, New York (2014)
Russinovich, M.E., Solomom, D.A., Ionescu, A.: Windows Internals, 7th edn. Microsoft Press, Redmond (2017)
Morgan, T.D.: The Windows NT Registry File Format. http://www.sentinelchicken.com/research/registry_format/ (2010)
Dolan-Gavitt, B.: Forensic analysis of the Windows registry in memory. Digit. Investig. 5, S26–S32 (2008)
Raghavan, S.: Digital forensic research: current state of the art. CSI Trans. ICT 1(1), 91–114 (2013)
Thomassen, Jolanta: Forensic Analysis of Unallocated Space in Windows Registry Hive Files. The University of Liverpool, Liverpool (2008)
Khanuja, H.K., Adane, D.S.: Forensic Analysis for Monitoring Database Transactions. In: Proceedings of International Symposium on Security in Computing and Communication. Springer, Berlin, pp. 201–210 (2014)
Khalidi Y.A., Smith, F.J. IV, Talluri, M.: Merging registry keys, U.S. Patent 8 245 035 B2. Aug 14 (2012)
Russinovich, M.: Inside the registry. http://technet.microsoft.com/en-us/library/cc750583.aspx (2017)
Ramani, A., Dewangan, S.K.: Auditing Windows 7 Registry Keys to track the traces left out in copying files from system to external USB Device. Int. J. Comput. Sci. Inf. Technol. 5(2), 1045–1052 (2014)
Patil, D.N., Meshram, B.B.: RegForensicTool: evidence collection and analysis of windows registry. Int. J. Cyber Secur. Digit. Forensics 2, 94–105 (2016)
Microsoft: How to recover from a corrupted registry that prevents Windows XP from starting. https://support.microsoft.com/en-us/help/307545/how-to-recover-from-a-corrupted-registry-that-prevents-windows-xp-from. May 13 (2017)
Mauzy Properties, LLC. Registry Tool. http://www.registrytool.com (2013)
Rose City Software, Registry First Aid. http://www.snapfiles.com/get/regfirstaid.html (2013)
Hover Inc. RegSeeker. http://www.snapfiles.com/get/regseeker.html. Sept 05 (2017)
Nir Sofer, RegScanner. http://www.nirsoft.net/utils/regscanner.html. Aug 08 (2017)
Net Security, Registry Decoder: Digital registry forensics. https://www.helpnetsecurity.com/2011/11/03/registry-decoder-digital-registry-forensics/. Nov 3 (2011)
Pranshu Bajpai: Windows Registry Analysis with RegRipper—A ‘Hands-on’ Case Study. http://resources.infosecinstitute.com/windows-registry-analysis-regripper-hands-case-study-2/. Aug 25 (2014)
James Macfarlane: Parse::Win32Registry—Parse Windows Registry Files. http://search.cpan.org/~jmacfarla/Parse-Win32Registry-1.0/lib/Parse/Win32Registry.pm (2012)
ASSET InterTech, ECM-XDP3 Intel JTAG Debugger. https://www.asset-intertech.com/products/sourcepoint-intel-trace (2017)
BreakPoint Software Inc. Hex Workshop. http://www.hexworkshop.com/overview.html (2014)
Alghafli, K.A., Jones, A., Martin, T.A.: Forensic analysis of the Windows 7 Registry. J. Digit. Forensics Secur. Law 5(4), 5–30 (2010)
Bose, R.P.J.C., Srinivasan, S.H.: mRegistry: a registry representation for fault diagnosis. In: Proceedings of International Conference on Intelligent Systems Design and Applications 2005. Isda ’05. Proceedings of the IEEE, pp. 37–42 (2005)
Morgan, T.D.: Recovering deleted data from the Windows registry. Digit. Investig. 5(Suppl. 1), S33–S41 (2008)
Tabarno, S.M., Sharma, A.K., Verma, N.: A futuristic digital forensic software framework for analyzing the registry of windows based systems. Softw. Eng. Technol. 5(8), 282–286 (2013)
ASSET InterTech: SourcePoint for Intel and AMD Processors. https://www.asset-intertech.com/eresources/software-debug (2017)
Cui, B., Wang, C., Dong, G., Ma, J.: A program behavior recognition algorithm based on assembly instruction sequence similarity. In: Proceedings of International Conference on Broadband and Wireless Computing, Communication and Applications, pp. 13–20 (2017)
Zhou, Q., Luo, J.: Artificial neural network based grid computing of E-government scheduling for emergency management. Comput. Syst. Sci. Eng. 30(5), 327–335 (2015)
Zhou, Q.: Research on heterogeneous data integration model of group enterprise based on cluster computing. Clust. Comput. 19, 1275 (2016). https://doi.org/10.1007/s10586-016-0580-y
Roy, T., Jain, A.: Windows registry forensics: an imperative step in tracking data theft via USB devices. Int. J. Comput. Sci. Inf. Technol. 3(3), 4427–4433 (2012)
Acknowledgements
This work was supported in part by the Natural Science Foundation of China under Grant 61273118, Guangdong Science and Technology Program of China under Grant No. 2017A040405050, and Guangzhou High-Tech Developmental Plan 201604016041.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Su, Q., Tang, Y., Li, Z. et al. Analysis of the structure of hive files and the implementation of pivotal operations for distributed computing environment. Cluster Comput 22 (Suppl 3), 5675–5689 (2019). https://doi.org/10.1007/s10586-017-1468-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-017-1468-1