Using EnCase to View the Registry
EnCase is a computer forensics tool used by many computer forensic examiners and intrusion investigators. Depending on your environment, you may be doing both the computer forensics and the network investigation. In other environments, the functions are segregated. Regardless, if you have EnCase available, it is an excellent tool to use to examine the Windows registry.
Examining Information Manually
Registry hive files are compound files that are mountable in EnCase. Within EnCase version 6 (we’ll talk about version 7 later in this chapter), you can mount these files by right-clicking the registry file’s name and choosing View File Structure from the pop-up menu. Before you mount the file, however, you must first ...