Hi,
How can I search for registry keys ? And return them in results view?
The keys or subkeys are in below format. How can I search for registries?
HKEY_ CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\WindoWs\CurrentVersion(AppPaths)
HKEY_USERS\SID\Software\SpeedBit\Download Accelerator
Flags/REG_DWORD/(media type)
PackageFamilyName/REG_SZ/microsoft.windowsphotos_8wekyb3d8bbwe
It depends on how you want to search for them. One spot to look is the regripper reports to see if regripper has already parsed it out but it was not brought into Autopsy as extracted content, Regripper is run as part of Recent Activity ingest. If you want to use a python module to do it you can look at https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Bam_Key to see how that will process registry keys. If you want to manually do it then use the application viewer for registry files which should show up when you highlight a registry file (may have to run file id ingest first, I do not remember).