Fig 1.
The structure of Windows registry.
Fig 2.
The overall framework of the proposed forensic analysis on Windows registry.
(a) The existing forensic strategy for a single system. (b) The proposed forensic strategy for multiple Windows systems.
Fig 3.
An example of the registry data exported by Regedit.
Fig 4.
An example of the actual process of converting a registry entry into the nested key-value data.
Fig 5.
An example of the actual process of merging three registry entries based on the common registry path.
(a) The example of three actual registry entries. (b) The result of the first MergeRegNestedEntries(). (c) The result of the second MergeRegNestedEntries().
Fig 6.
An example of the actual process of comparing two registry entries.
Fig 7.
An example of the actual process of loading Windows registry data into HDFS.
Fig 8.
An example of the actual process of forensic for a target registry key.
Fig 9.
An example of the actual process of forensic on registry entries using keywords.
Fig 10.
An example of the actual process of comparing the entire two registry repositories.
Table 1.
Characteristics of the collected Windows registry data.
Fig 11.
The processing time of the algorithm proposed for loading Windows registry into HDFS.
(a) The result with increasing the number of nodes. (b) The result with increasing the number of CPUs.
Fig 12.
The processing time of the algorithm proposed for forensic for the target registry key.
(a) The result with increasing the number of nodes. (b) The result with increasing the number of CPUs.
Fig 13.
The processing time of the algorithm proposed for forensic on registry entries containing a target keyword.
(a) The result with increasing the number of nodes. (b) The result with increasing the number of CPUs.
Fig 14.
The actual examples obtained by the algorithm for Scenario 2.
(a) The given keyword is ‘PHP’. (b) The given keyword is ‘Exploit’. (c) The given keyword is ‘Flash’.
Fig 15.
The processing time of the presented algorithm for comparing the entire registry repositories in Registry1 and Registry4.
(a) The result with increasing the number of nodes. (b) The result with increasing the number of CPUs.
Table 2.
The result of comparing the entire registry repositories.
Fig 16.
The examples obtained by the algorithm for Scenario 3.
(a) The registry key exists only in Registry1. (b) Different registry values for the same registry key.
Fig 17.
Comparing the processing time of the proposed distributed algorithms on Apache Spark with them in a single node.
(a) Processing time of loading Windows registry into HDFS. (b) Processing time of forensic for a target registry key. (c) Processing time of forensic on registry entries containing a target keyword. (d) Processing time of comparing the entire registry repositories.