Daily Blog #601: Live registry triage and testing
Hello Reader,
Well I attempted to do a test kitchen tonight but VMWare Workstation didn't want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman:
https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files running on the live system. This means you can now access shellbag data with dates, view and search registries, parse amcache hives, run registry plugins and parse MFTs all without imaging or extracting files from the live system.
This is a pretty big step and it will require running the programs as the administrator in order to access the raw disk. I hope you take a moment to give them a spin as I will when I get a VM to boot!
Well I attempted to do a test kitchen tonight but VMWare Workstation didn't want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman:
https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html
Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files running on the live system. This means you can now access shellbag data with dates, view and search registries, parse amcache hives, run registry plugins and parse MFTs all without imaging or extracting files from the live system.
This is a pretty big step and it will require running the programs as the administrator in order to access the raw disk. I hope you take a moment to give them a spin as I will when I get a VM to boot!
Daily Blog #601: Live registry triage and testing
![]()
Reviewed by David Cowen
on
January 18, 2019
Rating:
No comments: