[Vol-users] searching registries

Mike Lambert dragonforen at hotmail.com
Tue May 15 20:31:17 CDT 2012

Hi Glenn,
I specifically need to search the registry files (disk forensics) extracted from compromised systems, not memory. I was looking for a free tool that non-forensic examiners (disk) could get for free. (Forensic examiners have tools, they just cost a lot.)
Thanks! I will look up Registry Decoder.
Have a good evening,

Date: Tue, 15 May 2012 20:51:02 -0400
From: hiddenillusion at gmail.com
To: dragonforen at hotmail.com
CC: vol-users at volatilityfoundation.org
Subject: Re: [Vol-users] searching registries

Create a list of the keys/values you want to search and supply them to the 'Printkey' plugin (http://code.google.com/p/volatility/wiki/CommandReference#printkey)

Additionally, depending on what you're searching against you can use Autoruns and parse its contents or if you want a GUI search, try Registry Decoder.

Glenn P. Edwards Jr.

On Tuesday, May 15, 2012 at 6:38 PM, Mike Lambert wrote:

One thing we need to do is search the registries for the keys that autorun malware. 
Does anyone know of a free tool that will do that?  I'm currently using Encase to do that but it is and expensive solution.
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.

Vol-users mailing list
Vol-users at volatilityfoundation.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120515/26d90e18/attachment.html

More information about the Vol-users mailing list