OSForensics™ includes a built-in registry viewer for analyzing the contents of Windows registry hive files. It can be opened from the Start tab in OSForensics or will open and automatically navigate to the selected key when choosing the "Open registry file" option from a recent activity scan.
The registry viewer does not use Windows API calls so it offers the following benefits over RegEdit;
- Last edit time and date for keys
- Easily open offline registry hives (eg those stored on a portable drive)
- Fast searching and ability to go directly to a known key location
- Bypasses windows permission enforced on some parts of the registry
- Can display registry locations that might be hidden due to actions of malicious software / rootkits
- Easy exporting to text of a single key, all of the subkeys or the entire registry file
- Can add keys and their values to the current case
