Digital Forensics Solutions is pleased to announce Registry Decoder, an open source tool that automates the acquisition, analysis, and reporting of Microsoft Windows registry contents. The tool was initially funded by the National Institute of Justice (NIJ) and is now ready for public release. Please see our History Page for information about the project.
Registry Decoder consists of two components, the first of which is a tool for online acquisition of registry files from a running machine. The page for this project can be found here. To safely acquire files from a running machine, we ‘freeze’ a copy of the current registry files using the System Restore Facility. This places the files into a read-only location and ensures that the operating system will not have the files opened (which would prevent them from being copied to external storage).
Beyond the current set of registry files, the acquisition component can also acquire historical files from the running system. These historical files are acquired from XP machines through the System Restore Point facility and through the Volume Shadow Service on Vista and Windows 7 machines.
The second component of Registry Decoder performs offline analysis (on an investigator’s lab machine) of acquired registry files. This project can be found here. The current version of this tool can process raw disk images, partition images, individual registry files, and the database of hives acquired by the online component. When given a disk image, the Sleuthkit libraries are used to parse the image and read each registry hive. This includes the ability to acquire historical files from System Restore Points as well as the RegBack folder of Vista and 7 images. Individual registry hives are processed using libraries from the RegLookup project.
After being provided with all registry-oriented evidence for a particular case, which can be any combination of registry files, disk images, and acquired databases, Registry Decoder performs a one-time pre-processing of the evidence. During this process, it creates a number of databases and metadata files that contain all information needed to analyze the files.
The analysis section of the offline component contains a number of powerful features. The first feature is Search, which allows for powerful searching across registry hives. The searching abilities include:
- Filtering by hive keys, name, and data
- Filtering by the last write time of keys
- Searching individual terms or with a newline delimited search term file
- Exact or wildcard based search
- Viewing of search results
- Automated reporting of search contents to HTML, PDF, or XLS
Another important feature of Registry Decoder is its plug-in system. This facility is similar to the plugins provided by RegRipper, in that individual plugins provide very specific analysis of a subset of data contained within the registry. Output of the plugins can be automatically exported into reports, in the same manner as for registry searches.
A third feature provided by Registry Decoder is differencing of registry hives. This feature utilizes the search and plugin subsystems to illustrate differences and similarities between two registry hives. This allows for viewing of changes across time from the same computer or comparing results of searches or plugins against files from multiple computers.
Finally, Registry Decoder supports browsing of registry hives through the file view. This is very similar to AccessData’s Registry Viewer and provides the ability to browse hives, view data, and acquire the last write time of relevant registry keys.
We hope that Registry Decoder interests you and that you will try it out in cases that you are working on. We believe that Registry Decoder significantly reduces the time, effort, and skills needed to perform complex registry analysis. By being open source and well documented, we also think that Registry Decoder provides a strong platform for future research and development within the registry forensics field. If you decide to use Registry Decoder, we would love to hear your feedback either through the comments section of the blog or you can email directly to: registrydecoder@digdeeply.com.
Norton Internet Security (version 18.6.0.29) is hitting on both the Online and Offline versions, showing them to be infected with "WS.Reputation.1"
ReplyDeleteThat is strange, they are just pyinstaller created binaries.. Have not had any other AVs complain about them.
ReplyDeleteSeems like a false positive:
ReplyDeleteBehavior
WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.
The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.
Well... It is Norton...
ReplyDeleteThis is an awesome resource to build on. Well done. +2 karma if it supported CLI to be automated from the command line.
ReplyDeleteThere is processing supported from the commandline, its just not documented yet. You can use the live tool on the command line through main.py (no prebuilt .exe yet though)
ReplyDeleteFor the offline tool you can also already run plugins from the commandline through opencase.py
You can also process cases from the commandline by tinkering with 'main' in start_processing.py
What features specifically would you want through command line processing?
Can you use Registry Decoder on Linux analysis machines?
ReplyDeleteYes, please see the instructions file for the offline component (in the downloads section on the Google code project).
ReplyDeleteEverything but pytsk and the latest reglookup are in standard Linux repos so most of it can be automated.
I've tried the acquisition part on two different XP machines and each time I get a mostly empty (7kb) .db file. The log file shows current and backup files - "yes," but nothing is listed under "files acquired." I've confirmed that I am running as administrator and that system restore is not shut off on the target computers. Any suggestions?
ReplyDeleteThanks!