Registry Forensics

Comprehensive Windows Registry forensics skill for analyzing registry hives to uncover user activity, malware persistence, system configuration, and evidence of program execution. Enables extraction of forensically valuable artifacts from SAM, SYSTEM, SOFTWARE, NTUSER.DAT, and other registry hives.

Capabilities

• Registry Hive Parsing: Parse all Windows registry hive types (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, USRCLASS.DAT)
• Persistence Analysis: Identify autorun entries, services, and scheduled tasks
• User Activity Tracking: Extract recent documents, typed URLs, search history
• Program Execution: Analyze UserAssist, Shimcache, Amcache, BAM/DAM
• USB Device History: Extract connected USB device information
• Network History: Analyze network connection history and profiles
• System Configuration: Extract OS version, timezone, computer name
• Malware Indicators: Detect known malicious registry patterns
• Timeline Generation: Create registry-based activity timeline
• Registry Comparison: Compare registry states for change detection

Quick Start