drop registry hive and transaction log files · detect gaps or corruption in registry transaction logs · identify hive states inconsistent with their transaction history · surface evidence of offline hive editing bypassing transactions · runs locally
registry hive + logs
drop hive · LOG1 · LOG2 · artifact csv
or click
SYSTEM/SAM/NTUSER.DAT · .LOG1/.LOG2 · base block sequence check · offline edit · chntpw · Registry Recon · NTOffline
drop registry hive binary (.dat) · optional .LOG1/.LOG2 · optional execution artifact csv