Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.
Registry Decoder consists of two components, the first of which is a tool for online acquisition of registry files from a running machine. To safely acquire files from a running machine, we ‘freeze’ a copy of the current registry files using the System Restore Facility. This places the files into a read-only location and ensures that the operating system will not have the files opened (which would prevent them from being copied to external storage).
Beyond the current set of registry files, the acquisition component can also acquire historical files from the running system. These historical files are acquired from XP machines through the System Restore Point facility and through the Volume Shadow Service on Vista and Windows 7 machines.
The analysis section of the offline component contains a number of powerful features. The first feature is Search, which allows for powerful searching across registry hives. The searching abilities include:
- Filtering by hive keys, name, and data
- Filtering by the last write time of keys
- Searching individual terms or with a newline delimited search term file
- Exact or wildcard based search
- Viewing of search results
- Automated reporting of search contents to HTML, PDF, or XLS
Tutorials ::Text Tutorial (PDF) :: Click Here
FAQ :: Click Here
Download ::Windows :: RegistryDecoder (.zip)
Official Website :: http://www.registrydecoder.com/
It's Awesome , thanksReplyDelete