This script is designed to extract Registry values from one or more result-LEFs created by EnCase Endpoint Security. It  will process all Lx01 and L01 evidence files in the folder specified by the user. Sub-folders will be processed as a matter of course.

An internal condition is used to identify the target Registry values. This allows multiple values to be targeted. It also allows GREP to be used for wildcard searching.

The condition must have at least one selected term. Also, the root value ("Registry Values") should not be included when testing the FullPath property.

Please note that the script only supports the following Registry value-types:

• REG_SZ
• REG_EXPAND_SZ
• REG_DWORD
• REG_DWORD_BIG_ENDIAN
• REG_LINK
• REG_QWORD

The script's condition includes the following Registry path as an example:

• HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion

Output is by way of a tab-delimited spreadsheet file. This will have a *.csv extension for compatibility with Microsoft Word.

Progress can be monitored via the console window.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training