RSR Files

The following Registry Summary Report (RSR) files are for use with AccessData’s Registry Viewer® program. An RSR file is simply a template list of desired registry key/value locations, along with section headings. Registry Viewer can use these templates to quickly generate reports and can save significant time in cases where the keys/values being reported on are in a static location.

The RSR files available from AccessData have been collected from both internal and external sources. Each of these files has been reviewed by AccessData for basic functionality ONLY. Since every investigation varies, we cannot guarantee that these templates will report on the information you are targeting. AccessData recommends that you review the RSR files intended output prior to using it in a case or relying on it as the basis for any professional opinion. We suggest you do this by installing and then editing the RSR file (See below). Here you will be able to view or modify the values that particular RSR file is targeting.

We welcome additional RSR submissions and modifications! Please send additions and modifications to rvsumreports@accessdata.com.

RSR Files (Grouped by the target registry file)

NTUser

Software

SAM

System

Document Conventions

Hexadecimal numbers are indicated with a 0x prefix; i.e.: the hex number FFFF will be shown as 0xFFFF. Hex numbers may use both upper and lower case letters. They are generally presented as they are shown in the software examined or to the tool being used. For example, 0xffff is the same as 0xFFFF.Decimal numbers are defined by either a 0d, “decimal”, or with no signature.

When referring to registry root keys, the abbreviation HKLM is used to signify the Microsoft use of
HKEY_LOCAL_MACHINE.

Paths in the registry will begin with the registry filename the data is contained in. The filename will be in uppercase. This is to distinguish between filename used by Registry Viewer and hive names used by Microsoft’s Regedit. For example, the following path is from the NTUSER.DAT file. The same path follows if using the Regedit addressing system:

NTUSER.DAT\Software\Microsoft\Internet Explorer\TypedURLs

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Paths in the Registry are shown using backslashes to divide the keys and subkeys. However, if a value name is at the end of the path, it will be denoted with a forward slash. For example the value name “TestValue” would be shown as follows:

NTUSER\Software\Microsoft\Windows\CurrentVersion / TestValue

If general numbers are being expressed, like value sets that contain sequential numbers, the number will be expressed with an “n” notation to mean any number.

Numbers like 0001, 0002, 0003, etc. will be expressed as 000n or nnnn.

Disclaimer:

As with most registry content knowledge, this information is based upon the author’s research. While described behavior has been found to be consistent, different platforms and user configurations may produce different results. Anyone with additional information or differing behavior is urged to contact the author so that updates and additional research can be conducted.

Installation

To install a specific RSR file for use in Registry Viewer, you simply download the file to the following location on your computer. \Program Files\AccessData\AccessData Registry Viewer\data. Feel free to rename these files to suit your needs however; the files MUST keep the .rsr extension and they must be in the “data” folder.

Use

Once a particular RSR file is installed, you can access that template in Registry Viewer by choosing the “Manage Summary Reports” option under the Tools menu. Here you will have the option to preview that report, generate it, edit it or delete it. Remember, previewing a report does not generate it. To generate the report, select it from the list of available reports and then click the “Generate” button. The report will be generated and placed in the Report folder. This can be one of two places. In most cases it will be in the Registry_viewer folder in your FTK case folder. If you are using Registry Viewer outside of FTK, then your report will be generated in the default report folder at “C:\Program Files\AccessData\AccessData Registry Viewer\report”. Remember, if you are using FTK to generate your final report, Registry Viewer reports are automatically added to your final report!

Additional Options

In the Manage Summary Reports Window, there are two additional options for report generation. They are “Reduce excess data output” and “Interpret DWORD values as time.” These options often make the end report more presentable. Their use will depend on your specific needs.

Editing

Choosing an RSR template and then selecting the Edit button will open the “Define Summary Report” window. Here you will be able to view the different sections of the RSR template and make any desired modifications. Changing the name of the report in the “Summary Report Title” box will cause the report to be saved with the new name. Don’t forget to submit that new and improved RSR file to AccessData if appropriate.