RegAcquire - Windows Registry Acquisition tool.
RegSmart - Windows Registry Analysis tool.
VolatilityProcessor - RAM Collector and Analysis plugin for Autopsy.
Windows Registry Acquisition tool.
Windows Registry Analysis tool.
RegAcquire is a batch script that acquires Windows Registry Dumps, it makes use of 2 other programs RawCopy and FCIV(File Checksum Integrity Verifier) for the sake of simplicity the batch script with the neccessary supporting files were built together in a standalone executable.
RegAcquire makes use of reg export found built-in in Windows.
Since reg export strips away some information, RegAcquire also acquires the physical hive files, in Windows system. These files are live files meaning they are constantly in use, thus making it difficult to copy it normally. VSS (Volume Shadow Copy) was used to capture these files using RawCopy.
File Checksum Integrity Verifier (FCIV) is used to hash the files as well as check the integrity of the forensic copy. The reason why these other two applications was used is to ensure that they can run on any Windows operating system targeted from Windows 7 and up, and for the reason that all Computers may not have some built-in features that could have been used for this purpose.
RegAcquire logs each process and creates MD5 hashes of each file for verifiability.
Since the original files are never used in Digital Forensics RegAcquire makes a forensically sound copy by copying the original files, logging each and then further verifying the copy by hashing the files of the copy and comparing them to the original files. The original files are marked as read-only and the hash file has special permissions that doesn't easily give access to anyone to write or modify it. RegAcquire performs two phase hash log to ensure that changes to the files can be detected, this is achieved by logging both in the acquired registry dumps and the entire life span of using the RegAcquire program, this is just a measure for authenticity and is only checked when there are suspicions.
osMore information
applicationMore information
networkMore information
deviceMore information
shimMore information
regviewMore information
reportingMore information
hashMore information
The various interfaces of the tools built.
Due to a rise in risks involved in the current digital age, we anticipate more cyber-crime. Criminal footprints can appear in the Windows registry where large amounts of data regarding several aspects of a computer is stored. It is often difficult for Police officers and digital forensic investigators to fully analyse the Windows registry because of its vastness and lack of understanding. Performing analysis and finding evidence in the Windows registry is a very tedious and time-consuming process. Time (both for evidence collection, and analysis) and the complexity of extracting evidence from cyber crime scenes, are just some of the fundamental factors that inhibit the effectiveness of a forensic investigation.
These tools were developed for research purposes in attempt to harness the Windows Registry and aid analysis times, by performing various types of analysis and extracting information that is useful and also being able to develop reports from the acquired analysis. These tools are free and open source and urge people to contribute to it. The code is available on Github at
https://github.com/AvinashSingh786/RegAcquireand
https://github.com/AvinashSingh786/RegSmartThere are still areas that haven't been explored in this research due to time constraints. However, they will be incorporated soon.
Please fill out the information below if you have any complaints or suggestions.
