Registry Analysis with Reglookup

Now that Registry Decoder 1.1 is released, we wanted to highlight two libraries that are used during Registry Decoder's pre-processing phase. The first of these is reglookup and will be the subject of this blog post. Our next post will cover pytsk.

Reglookup is developed by Timothy Morgan and is both a library as well as a set of tools. We will first discuss the tools.

Tools

reglookup [1]

The reglookup binary is used to list the contents of a registry into a comma separated format.  By default it will list all the paths, last write times, and name/value pairs contained within the registry. The –s option enables printing of security descriptor information as well.

The ­–p option is the one we use most as it allows for filtering output to only keys and name/value pairs under the given path. For example –p /AccessData/Products/ would list entries under the Products key and not the entire registry. This can be very useful for limiting to certain sections of the registry such as USBSTOR, network shares, and more.

We have previously released a whitepaper detailing use of the reglookup tool to help with recovery and analysis of deleted registry hives here. 

reglookup-timeline

This tool is used to create a CSV timeline based on last write times within a hive.

reglookup-recover

This tool recovers deleted entries within registry hives, and then reports them in a CSV format similar to reglookup.  The theory used to recover deleted entries is covered in Tim’s paper that can be found here. This capability has fairly obvious applications in forensics investigations, and investigators should consider adding reglookup-recover usage to their forensics process.

The Library

In Registry Decoder, we use the Python bindings for regfi (the C library) in order to enumerate every key, its last write time, and name/value pair in a particular hive.  You can see how this is accomplished here. There is also documentation for the C library here and many example provided by the author for use with Python here.

In general, the library allows for completely programmatic exploration and analysis of registry hives using a very straightforward API. This includes querying keys, getting their name/value pairs, retrieving security attributes, recovering deleted records from within hives, and more. When using the python bindings, very powerful analysis can be performed in only a few lines of code.

Getting Reglookup

Source code and Windows binaries for reglookup can be found on the project downloads page.  There are also packages for a number of Linux distributions, but they currently only have very old versions. We would advise acquiring reglookup from the author's webpage until the Linux distributions catch up.

References

[1] http://www.linuxcertif.com/man/1/reglookup/

Registry Decoder 1.1 Released!

Digital Forensics Solutions is announcing the release of Registry Decoder 1.1, which has many completely new features and updates as well as bugfixes!  Please see our previous blog post here for the initial release of Registry Decoder.

New Features include:

- Support for processing Encase (E01) files and split images
- Full wildcard searching
- Adding evidence after a case is created
- Exporting of paths and their key/value pairs
- Timelining of keys from the GUI into the Sleuthkit format
- Running plugins from the command line
- Running custom plugins outside the main executable/package
- Support for dual boot machines

Updates include:

- Reports now have their extension appended if the user doesn't enter them
- Reports can now be filtered by either deleting results or shift/ctrl selecting results
- Users can right click within the Browse View to search directly for paths
- The name/value box in the Browse View is now sortable
- We also have six new plugins from Kevin Moore of CERT!

Major changes since 1.0:

BROKEN BACKWARDS COMPATIBILITY
All evidence created by version 1.0 of the online tool (regdecoderlive) and cases created by previous versions of the offline tool WILL NOT BE compatible with version 1.1
 

We regret that we had to break compatibility with version 1.0 (and it won't happen again!), but the changes were significant and handling old data structures and databases would have required very ugly special-casing within the handling code.

The date format to filter searches has been changed to “yyyy/mm/dd” from “mm/dd/yyyy” so that dates can be directly copied & pasted from plugin and search outputs as well as from the Browse View.

Current Plans for Registry Decoder:

Registry Decoder version 1.1 currently has a “feature freeze” as we let the forensics community react and provide feedback to the new features.  The only development that will continue will be that of plugins since they do not require any core changes or enhancements.

Plugin Development:

With this release, we are also releasing our official API documentation. The API is meant to be useable by even non-programmers, and many of our plugins are less than 10 lines of Python code.  The latest version of the API can be found in the downloads section of Registry Decoder.

We also want to concentrate on reaching out to other practitioners and research groups (both professional and academic) in an attempt to proliferate Registry Decoder throughout these communities.  We would appreciate any plugins contributed by these communities.

Existing plugins can be found in templates/template_files within the source code tree or can be viewed online at:

http://code.google.com/p/registrydecoder/source/browse/#svn%2Ftrunk%2Ftemplates%2Ftemplate_files

To make development easier, we have created the ability to run plugins from outside the core plugins directory as well as from the command line. Full details of how to accomplish this are explained in the plugins API documentation.

Mailing List:

We have created a mailing list for future updates, announcements, and ongoing discussion of the project. Please join the list http://groups.google.com/group/registry-decoder/ if you are interested.

Training:

We are now offering Registry Decoder training to all interested parties. Please see our training page for details and contact information.

Downloads and Instructions:

As always, the two tools, as well as their instructions, can be found on their respective Google code projects http://code.google.com/p/registrydecoder/ and http://code.google.com/p/regdecoderlive/.

Before ending this post, we would like to thank a few people who helped make this release a success.  In no particular order... Tim Morgan, the author of reglookup, who helped us troubleshoot a few issues we had with the library; Michael Cohen, the author of pytsk, who helped develop in-library support for Encase and split images; and Kevin Moore of CERT, as he contributed a number of complex plugins to the project.

We would also like to thank all the beta testers that sent bug reports and feedback.

If you have any questions or comments, please either leave a comment on the blog or email registrydecoder@digdeeply.com