Open Source Registry Decoder 1.1 Tool Released

Wednesday, November 02, 2011

Andrew Case


Digital Forensics Solutions is announcing the release of Registry Decoder 1.1, a free and open source tool which has many completely new features and updates as well as bugfixes.

Please see our previous blog post here for the initial release of Registry Decoder.

New Features include:

  • Support for processing Encase (E01) files and split images
  • Full wildcard searching
  • Adding evidence after a case is created
  • Exporting of paths and their key/value pairs
  • Timelining of keys from the GUI into the Sleuthkit format
  • Running plugins from the command line
  • Running custom plugins outside the main executable/package
  • Support for dual boot machines

Updates include:

  • Reports now have their extension appended if the user doesn't enter them
  • Reports can now be filtered by either deleting results or shift/ctrl selecting results
  • Users can right click within the Browse View to search directly for paths
  • The name/value box in the Browse View is now sortable
  • We also have six new plugins from Kevin Moore of CERT!

Major changes since 1.0:


All evidence created by version 1.0 of the online tool (regdecoderlive) and cases created by previous versions of the offline tool WILL NOT BE compatible with version 1.1 .

We regret that we had to break compatibility with version 1.0 (and it won't happen again!), but the changes were significant and handling old data structures and databases would have required very ugly special-casing within the handling code.

The date format to filter searches has been changed to “yyyy/mm/dd” from “mm/dd/yyyy” so that dates can be directly copied & pasted from plugin and search outputs as well as from the Browse View.

Current Plans for Registry Decoder:

Registry Decoder version 1.1 currently has a “feature freeze” as we let the forensics community react and provide feedback to the new features.  The only development that will continue will be that of plugins since they do not require any core changes or enhancements.

Plugin Development:

With this release, we are also releasing our official API documentation. The API is meant to be useable by even non-programmers, and many of our plugins are less than 10 lines of Python code.  The latest version of the API can be found in the downloads section of Registry Decoder.

We also want to concentrate on reaching out to other practitioners and research groups (both professional and academic) in an attempt to proliferate Registry Decoder throughout these communities.  We would appreciate any plugins contributed by these communities.

Existing plugins can be found in templates/template_files within the source code tree or can be viewed online at:

To make development easier, we have created the ability to run plugins from outside the core plugins directory as well as from the command line. Full details of how to accomplish this are explained in the plugins API documentation.

Downloads and Instructions:

As always, the two tools, as well as their instructions, can be found on their respective Google code projects and

Before ending this post, we would like to thank a few people who helped make this release a success.  In no particular order... Tim Morgan, the author of reglookup, who helped us troubleshoot a few issues we had with the library; Michael Cohen, the author of pytsk, who helped develop in-library support for Encase and split images; and Kevin Moore of CERT, as he contributed a number of complex plugins to the project.
We would also like to thank all the beta testers that sent bug reports and feedback.

If you have any questions or feedback, please either leave a comment or email 

Cross-posted from Digital Forensics Solutions

Possibly Related Articles:
Open Source Forensics Tools Penetration Testing Network Security CERT Registry Decoder
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.