Daily Blog #601: Live Registry Triage and Testing

Live Registry Triage and Testing by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
          Well I attempted to do a test kitchen tonight but VMWare Workstation didn't want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman:


Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files running on the live system. This means you can now access shellbag data with dates, view and search registries, parse amcache hives, run registry plugins and parse MFTs all without imaging or extracting files from the live system.

This is a pretty big step and it will require running the programs as the administrator in order to access the raw disk. I hope you take a moment to give them a spin as I will when I get a VM to boot!

Also Read: Daily Blog #600

Post a Comment