FTK Windows Server 2008 SYSTEM Filter

I recently found it necessary to quickly grab a large amount of SYSTEM registry files to determine the current control set and time zone information. FTK displays this information upon clicking the SYSTEM registry file. However, when you have a bunch of disk images loaded, it is a pain to navigate to all of them. Below is my filter to grab the SYSTEM file from /Windows/System32/config/. This should work on other OS versions too, but I have not tested yet. It has been working for me on Windows Server 2008 R2 64bit.

<?xml version="1.0" encoding="UTF-8"?>
&lt;exportedFilter xmlns="<a href="http://www.accessdata.com/ftk2/filters&quot;&gt;&lt;filter">http://www.accessdata.com/ftk2/filters"&gt;&lt;filter</a> name="W2K8 System Hive" matchCriterion="all" id="f_1000005" read_only="false" description=""&gt;&lt;rule position="0" enabled="true" id="a_9148" operator="is_member"&gt;&lt;one_int value="850"/&gt;&lt;/rule&gt;&lt;rule position="1" enabled="true" id="a_9171" operator="contains"&gt;&lt;one_string value="/Windows/System32/config/SYSTEM"/&gt;&lt;/rule&gt;&lt;/filter&gt;&lt;attribute id="a_9148" type="set"&gt;&lt;table&gt;ftk_CustomCategories&lt;/table&gt;&lt;column&gt;CustomCategoryID&lt;/column&gt;&lt;/attribute&gt;&lt;attribute id="a_9171" type="string"&gt;&lt;table&gt;cmn_ObjectFiles&lt;/table&gt;&lt;column&gt;Path&lt;/column&gt;&lt;/attribute&gt;&lt;/exportedFilter&gt;
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply