skip navigation

Add your conference to our Justice Events calendar


Register for Latest Research

Stay Informed
Register with NCJRS to receive NCJRS's biweekly e-newsletter JUSTINFO and additional periodic emails from NCJRS and the NCJRS federal sponsors that highlight the latest research published or sponsored by the Office of Justice Programs.

NCJRS Abstract

The document referenced below is part of the NCJRS Library collection. To conduct further searches of the collection, visit the NCJRS Abstracts Database. See the Obtain Documents page for direction on how to access resources online, via mail, through interlibrary loans, or in a local library.

  NCJ Number: NCJ 239593     Find in a Library
  Title: Registry Decoder Version R2 (Live) & 1.2 (Offline) Evaluation Report
  Document URL: PDF 
  Corporate Author: NIJ Criminal Justice Electronic Crime Technology Ctr of Excellence
United States of America
  Date Published: 08/2012
  Page Count: 22
  Annotation: This report describes the features and manufacturer claims for Registry Decoder Version R2 (live) and 1.2 (offline), which is a tool that automates the acquisition and analysis of registry files, and the report also presents results from the tool’s performance testing by the National Institute of Justice’s Electronic Crime Technology Center of Excellence.
  Abstract: There are two components of the Registry Decoder: an online tool that collects files from a running machine, and an offline tool that performs some preprocessing and then allows analysis. This report contains the official instructions for only the online component, with Web sites noted for the offline component. The current version of Registry Decoder Live is able to acquire the current registry files, as well as the historical registry files from the 32- and 64-bit versions of Windows XP, Vista, and Windows 7. Historical files are collected on XP through the System Restore facility and on Vista and Windows 7 through interaction with the Volume Shadow Service. The acquisition of historical data ensures that as much evidence as possible is acquired for analysis. The performance testing of Registry Decoder found that it provides a simple and easy method for acquiring current and backup copies of the registry hives from a running system, and it provides an easy, menu-driven, and scalable method of examining a registry hives. The Registry Decoder’s capability of adding registry hives from multiple computer systems allows an investigator to conduct registry searches, analysis, and comparisons across all the computer systems. Running Registry Decoder’s Offline program using the data acquired with the live program provided access to more backup registries than using dd image files. Information is provided on the test bed configuration, and results are presented from each of the four types of testing conducted. Extensive figures
  Main Term(s): Computer related crime
  Index Term(s): Evidence collection ; Testing and measurement ; Computer software ; Equipment evaluation ; Computer aided investigations ; Computer evidence
  Sale Source: National Law Enforcement and Corrections Technology Center (NLECTC)
700 N. Frederick Ave.
Bldg. 181, Room 1L30
Gaithersburg, MD 20879
United States of America
  Type: Test/Measurement
  Country: United States of America
  Language: English
  To cite this abstract, use the following link:

*A link to the full-text document is provided whenever possible. For documents not available online, a link to the publisher's website is provided. Tell us how you use the NCJRS Library and Abstracts Database - send us your feedback.