Registry Analysis with Reglookup

Now that Registry Decoder 1.1 is released, we wanted to highlight two libraries that are used during Registry Decoder's pre-processing phase. The first of these is reglookup and will be the subject of this blog post. Our next post will cover pytsk.

Reglookup is developed by Timothy Morgan and is both a library as well as a set of tools. We will first discuss the tools.

Tools

reglookup [1]

The reglookup binary is used to list the contents of a registry into a comma separated format.  By default it will list all the paths, last write times, and name/value pairs contained within the registry. The –s option enables printing of security descriptor information as well.

The ­–p option is the one we use most as it allows for filtering output to only keys and name/value pairs under the given path. For example –p /AccessData/Products/ would list entries under the Products key and not the entire registry. This can be very useful for limiting to certain sections of the registry such as USBSTOR, network shares, and more.

We have previously released a whitepaper detailing use of the reglookup tool to help with recovery and analysis of deleted registry hives here. 

reglookup-timeline

This tool is used to create a CSV timeline based on last write times within a hive.

reglookup-recover

This tool recovers deleted entries within registry hives, and then reports them in a CSV format similar to reglookup.  The theory used to recover deleted entries is covered in Tim’s paper that can be found here. This capability has fairly obvious applications in forensics investigations, and investigators should consider adding reglookup-recover usage to their forensics process.

The Library

In Registry Decoder, we use the Python bindings for regfi (the C library) in order to enumerate every key, its last write time, and name/value pair in a particular hive.  You can see how this is accomplished here. There is also documentation for the C library here and many example provided by the author for use with Python here.

In general, the library allows for completely programmatic exploration and analysis of registry hives using a very straightforward API. This includes querying keys, getting their name/value pairs, retrieving security attributes, recovering deleted records from within hives, and more. When using the python bindings, very powerful analysis can be performed in only a few lines of code.

Getting Reglookup

Source code and Windows binaries for reglookup can be found on the project downloads page.  There are also packages for a number of Linux distributions, but they currently only have very old versions. We would advise acquiring reglookup from the author's webpage until the Linux distributions catch up.

References

[1] http://www.linuxcertif.com/man/1/reglookup/