[sleuthkit-users] timelines of windows registry

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

In the past I used dumpreg to get a copy of the registry
with timestamps, but dumpreg has problems with Unicode
and subset of registry hives, etc.

Now I'm generating Registry timelines on windows with
total commander and a registry-plugin. The following
steps are necessary:

- Importing files with Regedit on WinXP,
  (Here is one big problem, the ACLs of the imported
   SAM- and SECURITY-HIVEs need to be changed,
   so the timestamps of SAM, SECURITY, SECURITY\Cache,
   SECURITY\Policy and SECURITY\RXACT will be overwritten)

- Total Commander with Registry Plugin for exporting
  the registry-keys with timestamps
  http://www.ghisler.com/ and
  http://www.totalcmd.net/plugring/registry.html

- the plugin exports the hives' timestamps to a TXT
  file. (all keys and most of the values are exported
  as ASCII or UNICODE)

- grep and sort are taking care of the rest 

The described method - via Windows, Admin-Rights,
Registry-Editor, Total-Commander, and the
Registry-Plugin - is not very straightforward for
forensic purposes.

Does anyone know good tools for generating
timelines of the windows registry?

Are there any existing read-only and open-source
windows-registry-timeline tools?

Regards,
   Uwe.

-- 
"The greatest of all faults is to be conscious of none" Thomas 
Carlyle
Please use PGP - my PGP-key-ID: 0x0FD36935 (2048 Bit)
PGP-fingerprint: C9A6 0E4A 9EC5 FF24 4FF8 6BE5 1E02 1C74
key-server: http://the.earth.li/pgp_lookup.html

Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl