Home > Forensic Tools & Techniques Taxonomy
| Forensic Functionality: | Windows Registry Analysis |
|---|
| Technical Parameters: |
|---|
|
Windows |
raw (dd) |
active Registry |
supports Registry rebuilding |
supports deleted key recovery |
supports display of key and value instances |
support for pre-built reports |
|
Mac |
EnCase Evidence File Format Version 2 (.ex01) |
active file system |
Registry rebuilding unsupported |
deleted key recovery not supported |
no support for displaying key and value instances |
pre-built reports not supported |
|
Linux |
Expert Witness (.e01) |
Windows restore points |
|
|
|
|
|
|
virtual disk format (e.g., .vdi, .vhd, .vmdk) |
volume shadow copies |
|
|
|
|
|
|
physically mounted slave drive |
unallocated space |
|
|
|
|
|
|
loose hive(s) |
automated hive extraction and parsing not supported |
|
|
|
|
