Extracting registry hives
Performing a postmortem analysis on the system registry requires extracting the hives from the filesystem. In this section, we will look at extracting files from a live system and from a forensic image.
Extracting registry files from a live system
Copying the backup files on a live system is quite easy; simply copy and paste or type the following command in the administrator command prompt:
reg save HKLM\<hive name> <savename>
As discussed earlier, these files could be 10 days old. This may not contain any traces of the incident under investigation. So, we need to extract the working hive files, which won't be allowed by the system because these files are in use in the live system:
Figure 9: Error in copying registry files in live system
In order to copy registry files from the live system, we need to use a program, such as FTK imager. We will use the lite version in this exercise, which is better in case of live analysis because it does not leave large...
