This project is the live registry hive acquisition component of Registry Decoder. It is capable of acquiring both the currently running and historical registry files from a number of Windows operating system versions, both 32 and 64 bit.
The acquired files can then be imported into the offline analysis component for complete forensic investigation.
Registry Decoder, now version 1.4, had a number of enhancements, usability improvements, and updates to existing plugins. These include:
- The ability to export diffs from both search and plugins
- Diff exports now include the matching entries
- Diff tabs have a color legend to explain the diffs
- All reporting fields add default file extensions if not provided by the user
- The ‘value’ of a registry ‘name’ is now added in search results
- Fixed a bug where the same entry could appear multiple times in search results
- Updates to the StreamMRU, ShellBags, ShellBagsMRU, and RecentDocsOrdered plugins by Kevin Moore