added more details about registry forensics

Forensics/Windows Registration.md

@@ -3,6 +3,7 @@
 * [Windows Forensics Cheat Sheet](https://user-images.githubusercontent.com/58165365/157232143-3c8785ec-164b-4843-bde8-9d9a22350159.png)
 
 ## Regedit Keys
+
 * HKEY_CURRENT_USER (HKCU), inside HKU
 * HKEY_USERS (HKU)
 * HKEY_LOCAL_MACHINE (HKLM)
@@ -12,6 +13,7 @@
 * HKEY_CURRENT_CONFIG
 
 ## Paths
+
 * `C:\Windows\System32\Config`
     * Default -> `HKEY_USERS\DEFAULT`
     * SAM -> `HKEY_LOCAL_MACHINE\SAM`
@@ -27,23 +29,36 @@
 * `C:\Windows\AppCompat\Programs\Amcache.hve`
 
 ### Transaction Logs
+
 * Transaction `<name of registry hive>.LOG` of the registry hive
-* Saved inside the same directory which is `C:\Windows\System32\Config`, as the hive which was altered.
+
+Saved inside the same directory which is `C:\Windows\System32\Config`, as the
+hive which was altered.
 
 ### Backups
+
 * Saved every ten days
 * Look out for recently deleted or modified keys
 * `C:\Windows\System32\Config\RegBack`
 
 ## Data Acquisition
-* Tools
-    * [Autopsy](https://www.autopsy.com/)
-    * [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve`
-    * [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape), preserves directory tree
-    * `Registry Viewer`
-    * `Zimmerman's Registry Explorer`, uses transaction logs as well
-        * ` AppCompatCache Parser`
-    * `RegRipper`, cli and gui
+
+Multiple tools with their own strengths and weaknesses should be chosen to acquire
+the registry data, no matter if it is a live or a copied acquisition. Commonly
+used tools are the following ones.
+
+* [Autopsy](https://www.autopsy.com/)
+* [FTK Imager](https://www.exterro.com/ftk-imager), does not copy `Amcache.hve` when `Obtain Protected Files` has been chosen, copy them manually as an export from the file tree of the chosen image
+
+[KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape),
+preserves directory tree. 
+
+Following parts of EZTools should be taken note of.
+
+* Registry Viewer
+* Zimmerman's Registry Explorer, uses transaction logs as well
+* AppCompatCache Parser
+* RegRipper, cli and gui
 
 ## System Information
 * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
@@ -167,3 +182,10 @@ Function        Compare-AutoRunsBaseLine                           14.0       Au
 Function        Get-PSAutorun                                      14.0       Aut...
 
 Function        New-AutoRunsBaseLine                               14.0       Aut...
+```
+
+### Clean a Dirty Hive
+
+If a hive is loaded by a tool and the tool complains about a dirty hive, the
+transaction log of said hive has to be loaded as well. Extract it via FTK or
+KAPE alongside the hive itself.