O'Reilly logo

Practical Windows Forensics by Konstantin Sapronov, Ayman Shaaban

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Extracting registry hives

Performing a postmortem analysis on the system registry requires extracting the hives from the filesystem. In this section, we will look at extracting files from a live system and from a forensic image.

Extracting registry files from a live system

Copying the backup files on a live system is quite easy; simply copy and paste or type the following command in the administrator command prompt:

reg save HKLM\<hive name> <savename>

As discussed earlier, these files could be 10 days old. This may not contain any traces of the incident under investigation. So, we need to extract the working hive files, which won't be allowed by the system because these files are in use in the live system:

Figure 9: Error in copying registry files ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required