Is there a way to browse the registry using Autopsy?

honor_the_data · May 7, 2021, 12:55pm

I know Autopsy runs Regripper, but is there a way to browser through registry hives Autopsy?

apriestman · May 7, 2021, 12:58pm

If you browse to the registry hive, the Application tab will let you browse through the data.

honor_the_data · May 7, 2021, 1:19pm

Thanks @apriestman ! That was pretty simple. I’ve been clicking around in a hive but have not yet seen any regkey modification times though. Do you know if there is a way to see those?

apriestman · May 7, 2021, 1:23pm

Sorry I don’t know. @Mark_McKinnon might.

Mark_McKinnon · May 7, 2021, 3:07pm

If you mean something like this:

No, it does not but it can. I can make a PR for this soon.

Mark_McKinnon · May 10, 2021, 4:50pm

The PR for this is Add Registry Key Modification Time To Registry Content Viewer by markmckinnon · Pull Request #6961 · sleuthkit/autopsy (github.com) here is what it will look like:

honor_the_data · May 10, 2021, 5:13pm

That’d be awesome @Mark_McKinnon!

apriestman · May 10, 2021, 7:41pm

FYI it unfortunately won’t show up until the release after next - it’s too late to include in our upcoming 4.19 release.

Topic		Replies	Views
DataSourceingestmodule get certain registries Autopsy Development	1	523	October 6, 2020
Is there any way to check the network information of the evidence image in autopsy? Autopsy Help	2	3966	October 20, 2023
RegRipper in an Autopsy plug-in Autopsy Development	5	4566	May 1, 2019
Searching registries Autopsy Development	16	7300	November 2, 2020
My Content viewer has disappeared Autopsy Help	1	312	October 27, 2022

Is there a way to browse the registry using Autopsy?

Related topics