This report describes the features and manufacturer claims for Registry Decoder Version R2 (live) and 1.2 (offline), which is a tool that automates the acquisition and analysis of registry files, and the report also presents results from the tool's performance testing by the National Institute of Justice's Electronic Crime Technology Center of Excellence.
There are two components of the Registry Decoder: an online tool that collects files from a running machine, and an offline tool that performs some preprocessing and then allows analysis. This report contains the official instructions for only the online component, with Web sites noted for the offline component. The current version of Registry Decoder Live is able to acquire the current registry files, as well as the historical registry files from the 32- and 64-bit versions of Windows XP, Vista, and Windows 7. Historical files are collected on XP through the System Restore facility and on Vista and Windows 7 through interaction with the Volume Shadow Service. The acquisition of historical data ensures that as much evidence as possible is acquired for analysis. The performance testing of Registry Decoder found that it provides a simple and easy method for acquiring current and backup copies of the registry hives from a running system, and it provides an easy, menu-driven, and scalable method of examining a registry hives. The Registry Decoder's capability of adding registry hives from multiple computer systems allows an investigator to conduct registry searches, analysis, and comparisons across all the computer systems. Running Registry Decoder's Offline program using the data acquired with the live program provided access to more backup registries than using dd image files. Information is provided on the test bed configuration, and results are presented from each of the four types of testing conducted. Extensive figures