Now that you know the structure of the Registry, let's take a look at retrieving and analyzing information from within the Registry. Much of this information will be available to you during live response (with the exception of the keys you cannot access due to permissions), and all of it (with the exception of the volatile portions of the Registry) will be available during a postmortem investigation.
ProDiscover provides a simple interface (actually, an API) for accessing the Registry during postmortem analysis. When a case is loaded into ProDiscover, all you need to do is right-click the
Windows directory in the Content View and choose
Add to Registry Viewer. ProDiscover then locates the necessary files to populate the Registry ...