Digital Forensics Solutions is pleased to announce Registry Decoder, an open source tool that automates the acquisition, analysis, and reporting of Microsoft Windows registry contents. The tool was initially funded by the National Institute of Justice (NIJ) and is now ready for public release. Please see our History Page for information about the project.
Registry Decoder consists of two components, the first of which is a tool for online acquisition of registry files from a running machine. The page for this project can be found here. To safely acquire files from a running machine, we ‘freeze’ a copy of the current registry files using the System Restore Facility. This places the files into a read-only location and ensures that the operating system will not have the files opened (which would prevent them from being copied to external storage).
Beyond the current set of registry files, the acquisition component can also acquire historical files from the running system. These historical files are acquired from XP machines through the System Restore Point facility and through the Volume Shadow Service on Vista and Windows 7 machines.
The second component of Registry Decoder performs offline analysis (on an investigator’s lab machine) of acquired registry files. This project can be found here. The current version of this tool can process raw disk images, partition images, individual registry files, and the database of hives acquired by the online component. When given a disk image, the Sleuthkit libraries are used to parse the image and read each registry hive. This includes the ability to acquire historical files from System Restore Points as well as the RegBack folder of Vista and 7 images. Individual registry hives are processed using libraries from the RegLookup project.
After being provided with all registry-oriented evidence for a particular case, which can be any combination of registry files, disk images, and acquired databases, Registry Decoder performs a one-time pre-processing of the evidence. During this process, it creates a number of databases and metadata files that contain all information needed to analyze the files.
The analysis section of the offline component contains a number of powerful features. The first feature is Search, which allows for powerful searching across registry hives. The searching abilities include:
- Filtering by hive keys, name, and data
- Filtering by the last write time of keys
- Searching individual terms or with a newline delimited search term file
- Exact or wildcard based search
- Viewing of search results
- Automated reporting of search contents to HTML, PDF, or XLS
Another important feature of Registry Decoder is its plug-in system. This facility is similar to the plugins provided by RegRipper, in that individual plugins provide very specific analysis of a subset of data contained within the registry. Output of the plugins can be automatically exported into reports, in the same manner as for registry searches.
A third feature provided by Registry Decoder is differencing of registry hives. This feature utilizes the search and plugin subsystems to illustrate differences and similarities between two registry hives. This allows for viewing of changes across time from the same computer or comparing results of searches or plugins against files from multiple computers.
Finally, Registry Decoder supports browsing of registry hives through the file view. This is very similar to AccessData’s Registry Viewer and provides the ability to browse hives, view data, and acquire the last write time of relevant registry keys.
We hope that Registry Decoder interests you and that you will try it out in cases that you are working on. We believe that Registry Decoder significantly reduces the time, effort, and skills needed to perform complex registry analysis. By being open source and well documented, we also think that Registry Decoder provides a strong platform for future research and development within the registry forensics field. If you decide to use Registry Decoder, we would love to hear your feedback either through the comments section of the blog or you can email directly to: email@example.com.