Registry Decoder

DFS is now offering day-long Registry Decoder training sessions.
For more information, click here.

Accurate, efficient analysis of the Windows registry

Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents. To learn the history of this project, please see the history page.

Registry Decoder is a free and open source tool. The online acquisition component can be found here and the offline analysis component here.

Our first blog post announced Registry Decoder and listed all of its features. The second blog post announced the release of version 1.1 along with its new features and updates.

All functionality contained within the two components is exposed to a graphical user interface, and the tool aims to provide even novice investigators with powerful analysis capabilities. Another goal of Registry Decoder is to become the project in which all future registry-related research is performed in and developed for. If you are a researcher and interested in open problems within forensics registry research or are interested in contributing the project, please see our research page here.

To follow the latest developments of Registry Decoder please follow our Twitter account @dfsforensics.