registrydecoder - registrydecoder - automates acquisition, analysis, and reporting of Microsoft Windows registry contents.
This version of the Registry Decoder performs offline analysis (on an
investigator’s lab machine) of acquired registry files. This project
can be found here. The current version of this tool can process raw disk
images, partition images, individual registry files, and the database
of hives acquired by the online component. When given a disk image,
the Sleuthkit libraries are used to parse the image and read each
registry hive. This includes the ability to acquire historical files
from System Restore Points as well as the RegBack folder of Vista and
7 images. Individual registry hives are processed using libraries from
the RegLookup project.
After being provided with all registry-oriented evidence for a particular
case, which can be any combination of registry files, disk images, and
acquired databases, Registry Decoder performs a one-time pre-processing
of the evidence. During this process, it creates a number of databases and
metadata files that contain all information needed to analyze the files.
The analysis section of the offline component contains a number of
powerful features. The first feature is Search, which allows for powerful
searching across registry hives. The searching abilities include:
* Filtering by hive keys, name, and data
* Filtering by the last write time of keys
* Searching individual terms or with a newline delimited search term file
* Exact or wildcard based search
* Viewing of search results
* Automated reporting of search contents to HTML, PDF, or XLS
by Lawrence R. Rogers (2012-02-02):
* Release 20120202-1
This is release 1.2 of registrydecoder.
See http://code.google.com/p/registrydecoder/source/list for the changes