Registry Explorer

How to use Registry Explorer to parse the Windows Registry in order to provide evidence in support of various malicious activities during incident investigations.

Registry Explorer allows Windows registry hives to be interrogated and parsed for a wide variety of forensic artifacts. The tool comes in two versions, a GUI and a command line interface. Eric Zimmerman has created several plugins that allow automated parsing for certain forensic objects.

Tool Name

Version

MITRE ATT&CK Tactic

MITRE ATT&CK Technique

Registry Explorer (RECmd) Registry Explorer (GUI)

V1.6.0.0

Execution Persistence Defense Evasion Credential Access

Instructions

Loading a Hosts Registry via Registry Explorer

Run RegistryExplorer.exe as an Administrator if interrogating a live host
Hive Selection

Live Host: Navigate to menu option File and Live System and then select the desired registry hive
Registry Dump: Navigate to menu option Load Hive and navigate to the desired registry hive via Explorer.

Hive details can be exported to several formats via the menu option File and Export

Parsing the AmCache.hve for Evidence of Execution

Interesting Keys

Root\
- InventoryDeviceContainer: OS devices such as bluetooth, printers, etc. Has links to DevicePnps
- InventoryDevicePnP: Plug and Play (PnP) devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers
- InventoryDriverBinary: System Drivers
- InventoryDriverPackage: Package information that links to both DeviceContainers and DevicePnPs
- InventoryApplicationShortcut: .LNK files