Incident Response with EZTools - Registry Forensics

RLA is bundled with EZTools. This tool replays transaction logs and updates registry hives so they are no longer dirty. useful when tools do not know how to handle transaction logs.

Windows Registry can provide us with a wide array of information about executables, systems, users, applications, etc., inside Windows systems.

Registry Hive is a logical group of keys, subkeys, and values inside the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.

Registry Transaction Logs(.LOG) Windows can use transaction logs when performing writes to registry files. The logs act as journals that store data being written to the registry before it is written to the hive files. Transaction logs are used when registry hives cannot be directly written due to locking or corruption.

During an incident, the Windows Registry can give us a lot of evidence and breadcrumbs that can be used during the investigation. Being able to acquire this evidence with the help of skills and the right tools can aid the responder to quickly resolve the incident.

NTUSER.DAT can be located in C:\Users\<user>\NTUSER.DAT

#note: By default NTUSER.DAT is hidden from the user’s eye, configure folder options and enable ‘Show Hidden Files’

What is the Windows Registry Transaction Log?