Registry analysis
Name |
From |
Description |
---|---|---|
ForensicUserInfo | Woanware | Extracts user information from the SAM, SOFTWARE and SYSTEM hives files and decrypts the LM/NT hashes from the SAM file |
Process Monitor | Microsoft | Examine Windows processes and registry threads in real time |
Registry Decoder | US National Institute of Justice, Digital Forensics Solutions | For the acquisition, analysis, and reporting of registry contents |
RegRipper | Harlan Carvey | Registry data extraction and correlation tool |
Regshot | Regshot | Takes snapshots of the registry allowing comparisons e.g., show registry changes after installing software |
sbag | TZWorks | Extracts data from Shellbag entries |
USB Device Forensics | Woanware | Details previously attached USB devices on exported registry hives |
USB Historian | 4Discovery | Displays 20+ attributes relating to USB device use on Windows systems |
USBDeview | Nirsoft | Details previously attached USB devices |
User Assist Analysis | 4Discovery | Extracts SID, User Names, Indexes, Application Names, Run Counts, Session, and Last Run Time Attributes from UserAssist keys |
UserAssist | Didier Stevens | Displays list of programs run, with run count and last run date and time |
Windows Registry Recovery | MiTec | Extracts configuration settings and other information from the Registry |