Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – Registry Explorer – GUI
- Page 3 – RECmd – Command Line, How to Use rla.exe, Examining RECmd Output (CSV)
- Page 4 – Conclusion, Registry-Related CTFs, Related Blogs Posts/Videos, Change Log
Conclusion
Registry Explorer/RECmd is an essential tool for any digital forensic examiners toolkit. There are lots of important artifacts stored in the registry that can help strengthen or even make a case. Plus, the tool is free and examining the registry either in the GUI or in CSV output in Timeline Explorer, there’s something for everyone with multiple ways to find the same answers.
Registry-Related CTFs
Investigation – InCTF Internationals 2020
Registry Explorer/RECmd-Related Blog Posts/Videos
DFIR Summit 2016: Plumbing the Depths – Windows Registry Internals
Episode 76: Investigating the Windows Registry using Registry Explorer – Part 1
Episode 77: Investigating the Windows Registry using Registry Explorer – Part 2
Episode 78: What is the Windows Registry transaction log?
Fast, Scalable Results with EZ Tools and the New Command line poster
Find Evil in 5 Easy Steps – Part2
Forensic Lunch Test Kitchen 1/18/19 Windows 7 New RECMD
Transaction logs and Registry Explorer
Change Log
- 10/6/2020 – Initial version published.
- 10/7/2020 – Added new details based on feedback from the community.
- 12/13/2020 – Added link to GitHub repository that hosts KAPE !EZParser output