REGISTRY RECON
Registry Recon is not just another Registry parser. It’s developed with powerful new methods to parse Registry data so that Registries which have existed on a Windows® system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.
REGISTRY RECON
Registry Recon is not just another Registry parser. It’s developed with powerful new methods to parse Registry data so that Registries which have existed on a Windows® system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.
Registry forensics has long been relegated to analyzing only readily accessible Registries from Microsoft Windows®, often one at a time, in a needlessly time-consuming and archaic way.
Your timelines can now include Registry data that was active, backed up in restore points or volume shadow copies, or carved from unallocated space. While Registry Recon displays unique Registry data by default, seamless access to all instances of particular Registry keys and values is available (with full paths and sector offsets) so your findings can be efficiently authenticated.
- Browse rebuilt and resurrected Registries
- Use Key History to view a key’s values at a particular time
- View values in a unique and historical fashion
- Seamless access to all instances of a particular value, both n term of time and source
One-Click Harvesting
Efficient collection of active, backed-up, and even deleted Windows Registry hives from forensic images
Registry Reconstruction
Automatic rebuilding of not only the active Registry, but Registries from previous Windows installations
Recon View
Harness the power of huge volumes of Registry information to see how Registries changed over time
Features
- Intuitive and efficient workflow
- Resurrection of Windows Registries long since forgotten
- Access to enormous amounts of deleted Registry data
- Unique keys and values shown by default in historical fashion
- Seamless access to all instances of keys and values
- Windows restore point and volume shadow copy support
- Ability to view keys (and their values) at particular points in time
What’s new
- Fixed “All Locations” string highlighting in Search
- Fixed a particular kind of SQLite crash
- Updated integration with Arsenal Image Mounter
- Fixed automatically decoded UserAssist date/time sorting
- Added search filter for Registry key (LastWriteTime) date/times
- Added search filter for Value Data size (Value Data search only)
- Search now takes ROT13 decoded data into account
- Better handling of hives containing multiple root keys
- Multiple performance improvements
