fatcousin
// evidence type

registry hive / transaction log

SYSTEM/SOFTWARE/SAM/NTUSER.DAT · reg export · transaction logs. autoruns, persistence, deleted keys, ACL tampering — windows endpoint bread and butter.

tools
13
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. registry hive parserdrop a Windows registry hive · NTUSER.DAT · SOFTWARE · SYSTEM · browse keys and values · export CSV · runs locally
  2. registry autoruns & services parserdrop NTUSER.DAT · SOFTWARE · or SYSTEM hive · parse Run keys · services · scheduled load points · flag suspicious paths · export CSV · runs locally
  3. registry timeline builderdrop registry timeline csvs or reg exports · merge last-write timestamps · burst detection · hourly histogram · csv export · runs locally
  4. registry hunting tooldrop registry hive or reg export · regex and substring search · 20 preset forensic queries · csv export · runs locally
  5. registry diff tooldrop before and after registry exports · added deleted modified values · severity scoring · csv export · runs locally
  6. registry deleted key recovery tooldrop a raw registry hive binary · scan hive for deleted but not overwritten key and value structures · recover key names · value names · value data · creation timestamps · forensic registry carving · runs locally
  7. registry hive carver from disk imagedrop a raw disk image or memory dump · scan for registry hive fragments by regf signature · extract and reconstruct partial hives · identify additional registry hives beyond the standard locations · runs locally
  8. registry transaction log gap analyzerdrop registry hive and transaction log files · detect gaps or corruption in registry transaction logs · identify hive states inconsistent with their transaction history · surface evidence of offline hive editing bypassing transactions · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. registry key deletion burst detectordrop registry transaction log or security evtx csv · detect rapid bulk registry key deletion · identify scripted registry cleanup operations · surface anti-forensic registry wiping patterns · runs locally
  2. registry autorun entry removal detectordrop security evtx csv or registry diff export · detect persistence mechanism removal · identify autorun keys deleted during investigation window · surface attacker cleanup of persistence artifacts · runs locally
  3. registry last write time regression detectordrop registry export with timestamps from multiple snapshots · detect registry keys whose last write time regressed between snapshots · identify impossible timestamp rollbacks in registry key history · surface offline editing and hive restoration artifacts · runs locally
  4. registry hive rollback detectordrop registry hive exports from multiple control sets · detect values present in backup hive but absent in current · identify registry keys deleted between snapshots · surface rollback evidence · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready