Digital forensics deals with the analysis of artifacts on all types of
digital devices. One of the most prevalent analysis techniques performed
is that of the registry hives contained in Microsoft Windows operating
systems. Registry Decoder was developed with the purpose of providing a
single tool for the acquisition, analysis, and reporting of registry
contents.
Registry
Decoder consists of two components, the first of which is a tool for
online acquisition of registry files from a running machine.
To safely acquire files from a running machine, we ‘freeze’ a copy of
the current registry files using the System Restore Facility. This
places the files into a read-only location and ensures that the
operating system will not have the files opened (which would prevent
them from being copied to external storage).
Beyond
the current set of registry files, the acquisition component can also
acquire historical files from the running system. These historical files
are acquired from XP machines through the System Restore Point facility
and through the Volume Shadow Service on Vista and Windows 7 machines.
The
analysis section of the offline component contains a number of powerful
features. The first feature is Search, which allows for powerful
searching across registry hives. The searching abilities include:
- Filtering by hive keys, name, and data
- Filtering by the last write time of keys
- Searching individual terms or with a newline delimited search term file
- Exact or wildcard based search
- Viewing of search results
- Automated reporting of search contents to HTML, PDF, or XLS
Tutorials ::
Text Tutorial (PDF) :: Click HereFAQ :: Click Here
Download ::
Windows :: RegistryDecoder (.zip)Official Website :: http://www.registrydecoder.com/
It's Awesome , thanks
ReplyDelete