Home How To Digging Up the Past: Windows Registry Forensics Revisited

How To

Digging Up the Past: Windows Registry Forensics Revisited

Posted on January 9, 2019

1,077

David Via from FireEye has written a very good article
focused on the following known sources of historical registry data:

Registry transaction logs (.LOG)
Transactional registry transaction logs (.TxR)
Deleted entries in registry hives
Backup system hives (REGBACK)
Hives backed up with System Restore

Related Articles
More In How To

Using MITRE ATT&CK for Forensics: BITS Jobs (T1197)

If you are doing incident response, you must know what MITRE ATT&CK is. As it’s …

2 weeks ago
7 min read
Parsing Carved EVTX Records Using EvtxECmd

Teru Yamazaki has posted about how to extract Windows Event Log files from allocated space…

2 weeks ago
24 second read
PowerShell and Python Together: Targeting Digital Investigations

A new book by Chet Hosmer has been released. The book will teach you how to use PowerShell…

2 weeks ago
20 second read

Load More Related Articles

Parsing Carved EVTX Records Using EvtxECmd

Teru Yamazaki has posted about how to extract Windows Event Log files from allocated space…

2 weeks ago
24 second read
Extracting Activity History from PowerShell Process Dumps

Lee Holmes has posted about how to extract activity history from PowerShell process dumps.…

January 5, 2019
20 second read
An introduction to file-system post-mortem forensic analysis

Computer Incident Response Center of Luxembourg has published materials used during their …

December 22, 2018
18 second read

Load More In How To

Click To Comment

Leave a Reply Cancel reply