Sunday, January 29, 2012

Registry Decoder - A new registry analysis tool


Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents.

It is much similar to Harlan's RegRipper. It can perform the analysis on the live system as well as the saved hive files. To acquire the currently in-use registry files, Registry Decoder creates a System Restore Point on the target machine. This ‘freezes’ and generates a read-only backup of the current registry files.


In the current version, the offline component is able to process a number of evidence types including:

1. Individual registry files
2. Full disk images
3. Partition images
4. Databases created by the online acquisition component of Registry Decoder

The analysis tasks it performs include:


1. Hive Viewing
2. Hive Searching
3. Plugins. Currently has 30 plugins
4. Hive Differencing to find the differences between two registry hives
5. Reporting


The online acquisition component can be accessed at: http://code.google.com/p/regdecoderlive/ and the offline analysis component accessed at: http://code.google.com/p/registrydecoder/.

Some of the screen shots from my system are below: