skip navigation

CrimeSolutions.gov

Add your conference to our Justice Events calendar

PUBLICATIONS

NCJRS Abstract

The document referenced below is part of the NCJRS Library collection.
To conduct further searches of the collection, visit the NCJRS Abstracts Database.

How to Obtain Documents
 
NCJ Number: NCJ 239593     Find in a Library
Title: Registry Decoder Version R2 (Live) & 1.2 (Offline) Evaluation Report
Corporate Author: NIJ Criminal Justice Electronic Crime Technology Ctr of Excellence
United States of America
Date Published: 08/2012
Page Count: 22
Sale Source: National Law Enforcement and Corrections Technology Center (NLECTC)
700 N. Frederick Ave.
Bldg. 181, Room 1L30
Gaithersburg, MD 20879
United States of America
Document: PDF 
Type: Test/Measurement
Language: English
Country: United States of America
Annotation: This report describes the features and manufacturer claims for Registry Decoder Version R2 (live) and 1.2 (offline), which is a tool that automates the acquisition and analysis of registry files, and the report also presents results from the tool’s performance testing by the National Institute of Justice’s Electronic Crime Technology Center of Excellence.
Abstract: There are two components of the Registry Decoder: an online tool that collects files from a running machine, and an offline tool that performs some preprocessing and then allows analysis. This report contains the official instructions for only the online component, with Web sites noted for the offline component. The current version of Registry Decoder Live is able to acquire the current registry files, as well as the historical registry files from the 32- and 64-bit versions of Windows XP, Vista, and Windows 7. Historical files are collected on XP through the System Restore facility and on Vista and Windows 7 through interaction with the Volume Shadow Service. The acquisition of historical data ensures that as much evidence as possible is acquired for analysis. The performance testing of Registry Decoder found that it provides a simple and easy method for acquiring current and backup copies of the registry hives from a running system, and it provides an easy, menu-driven, and scalable method of examining a registry hives. The Registry Decoder’s capability of adding registry hives from multiple computer systems allows an investigator to conduct registry searches, analysis, and comparisons across all the computer systems. Running Registry Decoder’s Offline program using the data acquired with the live program provided access to more backup registries than using dd image files. Information is provided on the test bed configuration, and results are presented from each of the four types of testing conducted. Extensive figures
Main Term(s): Computer related crime
Index Term(s): Evidence collection ; Testing and measurement ; Computer software ; Equipment evaluation ; Computer aided investigations ; Computer evidence
   
  To cite this abstract, use the following link:
https://www.ncjrs.gov/App/Publications/abstract.aspx?ID=261659

* A link to the full-text document is provided whenever possible. For documents not available online, a link to the publisher's web site is provided.