| The registry is a necessary part of the Windows OS,which store variety of information,including core system configurations,hardware configuration,and information on installed applications.Both of traditional file recovery methods and information recovery will lead to lower reacall rate.Effectively,rapidly indentifying the deleted data,and reconstruction orphaned data has become the key problem.This article will focus on the recovery technology of windows registry file.On the one hand,we put forward a deleted registry data indentifying method base on the character of registry structures.The method can identify the deleted registry data from hive files accurately by extracting various feature from deleted registry key or value data and using majority voting method.The experimental result shows that the method has 99% accuracy rate and 80% recall rate in identify deleted recordOn the other hand,we propose a recovery method for orphaned data based on statistical information of the data.The method can reconstruct orphaned registry data by analyse the statistical information between children key and parent key or value and key.The method can remedy of that the traditional method can not reconstruct orphaned registry data which based on the parent offset in key struct.The experimental result shows that the method has 79% recall rate and 85% accuracy rate in recovery deleted record.To sum up,this paper explores registry file recovery technology through combination experiment with theory,and studies the recovery technique of registry data.It proposes a deleted registry data indentifying method base on the character of registry structures and a recovery method for orphaned data based on statistical information of the data. |
PDF Full Text Request