Description of original award (Fiscal Year 2009, $135,625)
This project is for the development of a Registry Decoder, a point and click tool that analyzes the Windows registry information of a forensic target and prepares a readable report for the investigator. This tool will be usable for both traditional 'dead' forensics against hard drive images as well as 'live' (triage) analysis of running machines. Registry Decoder will be easily customizable and provide an interface for the law enforcement investigator to quickly identify what information is most crucial for their case, extract that data and render it into a report format. Additional information will be provided to give the investigator practical insight into the meaning and relevance of the data collected. Registry Decoder will also examine values in the current Windows registry alongside copies of the registry stored by the system restore point facility to crossreference this information and help reconstruct a historical background of the system under investigation. The tool will be developed in a way that makes it easy to extend and easy to create and manage multiple cases. Registry Decoder will include detailed multimedia training tutorials and will be widely distributed free of charge to local and state law enforcement.