Analyzing Registry

Discuss new features that you would like to see in Autopsy. Consider creating a github issue instead of this forum, as we review those more when adding features and many of the discussions ultimately end up as github issues.

https://github.com/sleuthkit/autopsy/issues

Moderator: carrier

Analyzing Registry

Postby OliverH » Sun Sep 28, 2014 8:33 pm

As of today Sleuthkit 3.1.0 only has rudimentary registry hive analyzation (using regripper) support. The view on the extracted hive details couldn't be used as they should be (marking sections, annotations to section).
Registry is a main part doing analyzation on an image on my side. I use to look ntuser.dat, System, SAM and Software to get a picture and tell parties what happened on the computer - using regripper 2.02 and 2.8. In combination with time lining the work is done. Network details, typed URLs, used files, last user logged on - registry hives tells you a big part of the story.
Is it possible to get all hives parsed and separated the sections in XML files or so to do annotations and mark them as case relevant to be present in the report? Having a possibility to define a report and the order of topics (hive sections in this case) like on Nessus would be usefull.
OliverH
 
Posts: 8
Joined: Sun Sep 28, 2014 8:06 pm

Return to Autopsy Feature Requests

Who is online

Users browsing this forum: No registered users and 1 guest

cron