Two Types of acquisition

RegAcquire is a batch script that acquires Windows Registry Dumps, it makes use of 2 other programs RawCopy and FCIV(File Checksum Integrity Verifier) for the sake of simplicity the batch script with the neccessary supporting files were built together in a standalone executable.

RegAcquire makes use of reg export found built-in in Windows.

Since reg export strips away some information, RegAcquire also acquires the physical hive files, in Windows system. These files are live files meaning they are constantly in use, thus making it difficult to copy it normally. VSS (Volume Shadow Copy) was used to capture these files using RawCopy.

File Checksum Integrity Verifier (FCIV) is used to hash the files as well as check the integrity of the forensic copy. The reason why these other two applications was used is to ensure that they can run on any Windows operating system targeted from Windows 7 and up, and for the reason that all Computers may not have some built-in features that could have been used for this purpose.

Forensically sound

RegAcquire logs each process and creates MD5 hashes of each file for verifiability.

Since the original files are never used in Digital Forensics RegAcquire makes a forensically sound copy by copying the original files, logging each and then further verifying the copy by hashing the files of the copy and comparing them to the original files. The original files are marked as read-only and the hash file has special permissions that doesn't easily give access to anyone to write or modify it. RegAcquire performs two phase hash log to ensure that changes to the files can be detected, this is achieved by logging both in the acquired registry dumps and the entire life span of using the RegAcquire program, this is just a measure for authenticity and is only checked when there are suspicions.



System Analysis

systemMore information

OS Analysis

osMore information


Application Analysis

applicationMore information


Network Analysis

networkMore information


Device Analysis

deviceMore information


ShimCache Analysis

shimMore information


Registry Viewer

regviewMore information



reportingMore information


Hash Generator

hashMore information


The various interfaces of the tools built.

  • RegAquire startup detecting system support.
  • Getting reg export dumps.
  • RawCopy getting hive files.
  • Making forensic copy.
  • Verifying dumps.
  • Dumps acquired.
  • Logging of the process.
  • Hash of the files.
  • RegSmart Introduction.
  • RegSmart Home Page.
  • RegSmart Importing dumps.
  • RegSmart Hashing interface.
  • RegSmart File Hashing.
  • RegSmart Folder Hashing.
  • Registry Viewer.
  • ShimCache Analysis.
  • RegSmart Reporting.


Due to a rise in risks involved in the current digital age, we anticipate more cyber-crime. Criminal footprints can appear in the Windows registry where large amounts of data regarding several aspects of a computer is stored. It is often difficult for Police officers and digital forensic investigators to fully analyse the Windows registry because of its vastness and lack of understanding. Performing analysis and finding evidence in the Windows registry is a very tedious and time-consuming process. Time (both for evidence collection, and analysis) and the complexity of extracting evidence from cyber crime scenes, are just some of the fundamental factors that inhibit the effectiveness of a forensic investigation.

These tools were developed for research purposes in attempt to harness the Windows Registry and aid analysis times, by performing various types of analysis and extracting information that is useful and also being able to develop reports from the acquired analysis. These tools are free and open source and urge people to contribute to it. The code is available on Github at
There are still areas that haven't been explored in this research due to time constraints. However, they will be incorporated soon.

Contact Form

Please fill out the information below if you have any complaints or suggestions.