Performing a postmortem analysis on the system registry requires extracting the hives from the filesystem. In this section, we will look at extracting files from a live system and from a forensic image.
Copying the backup files on a live system is quite easy; simply copy and paste or type the following command in the administrator command prompt:
reg save HKLM\<hive name> <savename>
As discussed earlier, these files could be 10 days old. This may not contain any traces of the incident under investigation. So, we need to extract the working hive files, which won't be allowed by the system because these files are in use in the live system: