AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents


Registry Explorer/RECmd is an essential tool for any digital forensic examiners toolkit. There are lots of important artifacts stored in the registry that can help strengthen or even make a case. Plus, the tool is free and examining the registry either in the GUI or in CSV output in Timeline Explorer, there’s something for everyone with multiple ways to find the same answers.

Registry-Related CTFs

Investigation – InCTF Internationals 2020

Investigation Continues – InCTF Internationals 2020

USB 2 – 2020 Defenit CTF

Registry Explorer/RECmd-Related Blog Posts/Videos

DFIR Summit 2016: Plumbing the Depths – Windows Registry Internals

Exploring Registry Explorer

Episode 76: Investigating the Windows Registry using Registry Explorer – Part 1

Episode 77: Investigating the Windows Registry using Registry Explorer – Part 2

Episode 78: What is the Windows Registry transaction log?

Fast, Scalable Results with EZ Tools and the New Command line poster

Find Evil in 5 Easy Steps – Part2

Forensic Lunch Test Kitchen 1/18/19 Windows 7 New RECMD

Transaction logs and Registry Explorer

Change Log

  • 10/6/2020 – Initial version published.
  • 10/7/2020 – Added new details based on feedback from the community.
  • 12/13/2020 – Added link to GitHub repository that hosts KAPE !EZParser output