Registry Explorer

How to use Registry Explorer to parse the Windows Registry in order to provide evidence in support of various malicious activities during incident investigations.

Registry Explorer allows Windows registry hives to be interrogated and parsed for a wide variety of forensic artifacts. The tool comes in two versions, a GUI and a command line interface. Eric Zimmerman has created several plugins that allow automated parsing for certain forensic objects.

Tool Name

Version

MITRE ATT&CK Tactic

MITRE ATT&CK Technique

V1.6.0.0

Instructions

Loading a Hosts Registry via Registry Explorer

Run RegistryExplorer.exe as an Administrator if interrogating a live host
Hive Selection

Live Host: Navigate to menu option File and Live System and then select the desired registry hive
Registry Dump: Navigate to menu option Load Hive and navigate to the desired registry hive via Explorer.

Hive details can be exported to several formats via the menu option File and Export

Parsing the AmCache.hve for Evidence of Execution

Interesting Keys

Root\
- InventoryDeviceContainer: OS devices such as bluetooth, printers, etc. Has links to DevicePnps
- InventoryDevicePnP: Plug and Play (PnP) devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers
- InventoryDriverBinary: System Drivers
- InventoryDriverPackage: Package information that links to both DeviceContainers and DevicePnPs
- InventoryApplicationShortcut: .LNK files

Parsing the BAM/DAM for Evidence of Execution

Execution Time is a reference to the last execution time.

Parsing the LastVisitedMRU for Evidence of Execution

Interesting Fields

Executable: Records the parent application
Absolute Path: Records the file opened
Opened On: Date-time-group of last access time

Parsing the ShimCache (AppCompatCache) for Evidence of Execution

Interesting Fields

Program Name: Records the full executable filepath
Modified Time: Date-time-group of last access time

PreviousDFIR Toolkits NextIncident Timelines

Last updated 1 year ago

Registry Explorer

How to use Registry Explorer to parse the Windows Registry in order to provide evidence in support of various malicious activities during incident investigations.

Tool Name

Version

MITRE ATT&CK Tactic

MITRE ATT&CK Technique

V1.6.0.0

Instructions

Loading a Hosts Registry via Registry Explorer

Run RegistryExplorer.exe as an Administrator if interrogating a live host
Hive Selection

Live Host: Navigate to menu option File and Live System and then select the desired registry hive
Registry Dump: Navigate to menu option Load Hive and navigate to the desired registry hive via Explorer.

Hive details can be exported to several formats via the menu option File and Export

Parsing the AmCache.hve for Evidence of Execution

Interesting Keys

Root\
- InventoryDeviceContainer: OS devices such as bluetooth, printers, etc. Has links to DevicePnps
- InventoryDevicePnP: Plug and Play (PnP) devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers
- InventoryDriverBinary: System Drivers
- InventoryDriverPackage: Package information that links to both DeviceContainers and DevicePnPs
- InventoryApplicationShortcut: .LNK files

Parsing the BAM/DAM for Evidence of Execution

Execution Time is a reference to the last execution time.

Parsing the LastVisitedMRU for Evidence of Execution

Interesting Fields

Executable: Records the parent application
Absolute Path: Records the file opened
Opened On: Date-time-group of last access time

Parsing the ShimCache (AppCompatCache) for Evidence of Execution

Interesting Fields

Program Name: Records the full executable filepath
Modified Time: Date-time-group of last access time

PreviousDFIR Toolkits NextIncident Timelines

Last updated 1 year ago