This artice is free to access.
The Microsoft Windows registry is an important resource in digital forensic investigations. It contains information about operating system configuration, installed software and user activity. Several researchers have focused on the forensic analysis of the Windows registry, but a robust method for associating past events with registry data values extracted from Windows restore points is not yet available. This paper proposes a novel algorithm for analyzing the most recently used (MRU) keys found in consecutive snapshots of the Windows registry. The algorithm compares two snapshots of the same MRU key and identifies data values within the key that have been updated in the period between the two snapshots. User activities associated with the newly updated data values can be assumed to have occurred during the period between the two snapshots.
Zhu, Y., Gladyshev, P., & James, J. (2009). Temporal analysis of windows MRU registry keys. In IFIP Advances in Information and Communication Technology (Vol. 306, pp. 83–93). Springer New York LLC. https://doi.org/10.1007/978-3-642-04155-6_6