When triaging a live system or performing live forensic acquisition, we often need to copy registry hives from a disk. Currently, there are five common ways to do this:
- execute the “reg save <hive> <file>” command;
- call the RegSaveKeyEx/RegSaveKey routine from an acquisition tool;
- copy a hive file from an existing shadow copy;
- copy a hive file from a newly created shadow copy;
- directly read a hive file from an NTFS volume.
Are there any pros and cons of each way?
Continue reading “Exporting registry hives from a live system”