Extracting registry hives

Performing a postmortem analysis on the system registry requires extracting the hives from the filesystem. In this section, we will look at extracting files from a live system and from a forensic image.

Extracting registry files from a live system

Copying the backup files on a live system is quite easy; simply copy and paste or type the following command in the administrator command prompt:

reg save HKLM\<hive name> <savename>

As discussed earlier, these files could be 10 days old. This may not contain any traces of the incident under investigation. So, we need to extract the working hive files, which won't be allowed by the system because these files are in use in the live system:

Figure 9: Error in copying registry files ...

Get Practical Windows Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Windows Forensics by Ayman Shaaban, Konstantin Sapronov

Extracting registry hives

Extracting registry files from a live system

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly