Analyze Windows Registry hives for forensic investigation. Use when investigating malware persistence, user activity, system configuration changes, or evidence of program execution...
Comprehensive Windows Registry forensics skill for analyzing registry hives to uncover user activity, malware persistence, system configuration, and evidence of program execution. Enables extraction of forensically valuable artifacts from SAM, SYSTEM, SOFTWARE, NTUSER.DAT, and other registry hives.
from registry_forensics import RegistryAnalyzer, HiveParser, PersistenceScanner
# Parse registry hive
parser = HiveParser("/evidence/NTUSER.DAT")
# Get all keys
keys = parser.get_all_keys()
# Scan for persistence
scanner = PersistenceScanner("/evidence/")
persistence = scanner.scan_all_hives()
# Analyze user activity
analyzer = RegistryAnalyzer("/evidence/")
activity = analyzer.get_user_activity()
Input: Registry hive file
Process:
Output: Parsed registry structure
Example:
from registry_forensics import HiveParser
# Parse NTUSER.DAT hive
parser = HiveParser("/evidence/NTUSER.DAT")
# Get hive metadata
info = parser.get_hive_info()
print(f"Hive type: {info.hive_type}")
print(f"Last written: {info.last_written}")
print(f"Root key: {info.root_key}")
# Get all subkeys of a key
subkeys = parser.get_subkeys("Software\\Microsoft\\Windows\\CurrentVersion")
for key in subkeys:
print(f"Key: {key.name}")
print(f" Last modified: {key.last_modified}")
print(f" Values: {key.value_count}")
# Get specific value
value = parser.get_value(
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"Shell Folders"
)
print(f"Value: {value.name} = {value.data}")
# Search for keys/values
results = parser.search("password", include_values=True)
for r in results:
print(f"Found: {r.path}")
# Export key to REG file
parser.export_key(
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"/evidence/run_key.reg"
)
# Get all values recursively
all_values = parser.get_all_values(recursive=True)
Input: Registry hives (SOFTWARE, NTUSER.DAT, SYSTEM)
Process:
Output: Persistence mechanism inventory
Example:
from registry_forensics import PersistenceScanner
# Initialize scanner with evidence directory
scanner = PersistenceScanner("/evidence/registry/")
# Scan all persistence locations
persistence = scanner.scan_all()
for p in persistence:
print(f"Persistence: {p.location}")
print(f" Name: {p.name}")
print(f" Value: {p.value}")
print(f" Type: {p.persistence_type}")
print(f" Risk: {p.risk_level}")
# Get Run key entries
run_entries = scanner.get_run_keys()
for entry in run_entries:
print(f"Run: {entry.name} = {entry.command}")
print(f" Hive: {entry.hive}")
print(f" User: {entry.user}")
# Get services
services = scanner.get_services()
for svc in services:
print(f"Service: {svc.name}")
print(f" Display: {svc.display_name}")
print(f" Path: {svc.image_path}")
print(f" Start type: {svc.start_type}")
print(f" Account: {svc.service_account}")
# Get scheduled tasks (from registry)
tasks = scanner.get_scheduled_tasks()
# Get shell extensions
extensions = scanner.get_shell_extensions()
# Get browser helper objects
bhos = scanner.get_browser_helpers()
# Detect suspicious persistence
suspicious = scanner.find_suspicious()
for s in suspicious:
print(f"SUSPICIOUS: {s.location}")
print(f" Reason: {s.reason}")
# Export report
scanner.generate_report("/evidence/persistence_report.html")
Input: NTUSER.DAT and USRCLASS.DAT hives
Process:
Output: User activity summary
Example:
from registry_forensics import UserActivityAnalyzer
# Analyze user's registry
analyzer = UserActivityAnalyzer(
ntuser_path="/evidence/NTUSER.DAT",
usrclass_path="/evidence/USRCLASS.DAT"
)
# Get recent documents (MRU lists)
recent_docs = analyzer.get_recent_documents()
for doc in recent_docs:
print(f"Recent: {doc.filename}")
print(f" Path: {doc.path}")
print(f" Last access: {doc.last_access}")
print(f" MRU source: {doc.source}")
# Get typed paths (Explorer address bar)
typed_paths = analyzer.get_typed_paths()
for path in typed_paths:
print(f"Typed path: {path.value}")
print(f" Timestamp: {path.timestamp}")
# Get typed URLs (IE/Edge)
typed_urls = analyzer.get_typed_urls()
for url in typed_urls:
print(f"URL: {url.value}")
# Get search history (WordWheelQuery)
searches = analyzer.get_search_history()
for search in searches:
print(f"Search: {search.query}")
print(f" Timestamp: {search.timestamp}")
# Get recently opened/saved dialogs
dialogs = analyzer.get_dialog_history()
for d in dialogs:
print(f"Dialog: {d.application}")
print(f" Path: {d.last_path}")
# Get mapped network drives
network_drives = analyzer.get_network_drives()
# Get user's shell bags
shellbags = analyzer.get_shellbags()
for bag in shellbags:
print(f"ShellBag: {bag.path}")
print(f" First access: {bag.first_accessed}")
print(f" Last access: {bag.last_accessed}")
print(f" Access count: {bag.access_count}")
# Generate user activity report
analyzer.generate_report("/evidence/user_activity.html")
Input: Multiple registry hives
Process:
Output: Program execution history
Example:
from registry_forensics import ExecutionAnalyzer
# Initialize execution analyzer
analyzer = ExecutionAnalyzer(
ntuser_path="/evidence/NTUSER.DAT",
system_path="/evidence/SYSTEM",
amcache_path="/evidence/Amcache.hve"
)
# Get UserAssist data
userassist = analyzer.get_userassist()
for entry in userassist:
print(f"Program: {entry.name}")
print(f" Run count: {entry.run_count}")
print(f" Last run: {entry.last_run}")
print(f" Focus time: {entry.focus_time}")
# Get Shimcache entries
shimcache = analyzer.get_shimcache()
for entry in shimcache:
print(f"Shimcache: {entry.path}")
print(f" Last modified: {entry.last_modified}")
print(f" Executed: {entry.executed}")
# Get Amcache entries
amcache = analyzer.get_amcache()
for entry in amcache:
print(f"Amcache: {entry.filename}")
print(f" Path: {entry.full_path}")
print(f" SHA1: {entry.sha1}")
print(f" First run: {entry.first_run}")
print(f" Publisher: {entry.publisher}")
# Get BAM/DAM data (Background Activity Monitor)
bam = analyzer.get_bam_dam()
for entry in bam:
print(f"BAM: {entry.executable}")
print(f" User: {entry.user_sid}")
print(f" Last execution: {entry.last_execution}")
# Get AppCompatFlags
appcompat = analyzer.get_appcompat_flags()
# Get MUICache (executed programs with GUIs)
muicache = analyzer.get_muicache()
# Correlate all execution evidence
correlated = analyzer.correlate_execution()
for prog in correlated:
print(f"Execution: {prog.name}")
print(f" Evidence sources: {prog.sources}")
print(f" First seen: {prog.first_seen}")
print(f" Last seen: {prog.last_seen}")
print(f" Run count: {prog.estimated_runs}")
# Export execution timeline
analyzer.export_timeline("/evidence/execution_timeline.csv")
Input: SYSTEM and SOFTWARE hives
Process:
Output: USB device connection history
Example:
from registry_forensics import USBAnalyzer
# Initialize USB analyzer
analyzer = USBAnalyzer(
system_path="/evidence/SYSTEM",
software_path="/evidence/SOFTWARE"
)
# Get all USB devices
devices = analyzer.get_all_devices()
for device in devices:
print(f"USB Device: {device.friendly_name}")
print(f" Vendor ID: {device.vendor_id}")
print(f" Product ID: {device.product_id}")
print(f" Serial Number: {device.serial_number}")
print(f" First connected: {device.first_connected}")
print(f" Last connected: {device.last_connected}")
print(f" Volume GUID: {device.volume_guid}")
print(f" Drive letter: {device.drive_letter}")
print(f" User: {device.user_account}")
# Get USB storage devices specifically
storage = analyzer.get_usb_storage()
for s in storage:
print(f"Storage: {s.friendly_name}")
print(f" Capacity: {s.capacity_bytes}")
# Get mounted devices
mounted = analyzer.get_mounted_devices()
# Get device setup classes
setup = analyzer.get_device_setup()
# Correlate with NTUSER for user mapping
analyzer.add_ntuser("/evidence/NTUSER.DAT")
user_devices = analyzer.get_user_device_history()
# Generate USB history report
analyzer.generate_report("/evidence/usb_history.html")
Input: SYSTEM and SOFTWARE hives
Process:
Output: Network configuration and history
Example:
from registry_forensics import NetworkAnalyzer
# Initialize network analyzer
analyzer = NetworkAnalyzer(
system_path="/evidence/SYSTEM",
software_path="/evidence/SOFTWARE"
)
# Get network interfaces
interfaces = analyzer.get_interfaces()
for iface in interfaces:
print(f"Interface: {iface.name}")
print(f" Type: {iface.type}")
print(f" MAC: {iface.mac_address}")
print(f" DHCP: {iface.dhcp_enabled}")
print(f" IP: {iface.ip_address}")
# Get network profiles
profiles = analyzer.get_network_profiles()
for p in profiles:
print(f"Profile: {p.name}")
print(f" First connected: {p.first_connected}")
print(f" Last connected: {p.last_connected}")
print(f" Type: {p.network_type}")
print(f" Category: {p.category}")
# Get wireless network history
wireless = analyzer.get_wireless_networks()
for w in wireless:
print(f"SSID: {w.ssid}")
print(f" Authentication: {w.authentication}")
print(f" First seen: {w.first_connected}")
# Get VPN configurations
vpns = analyzer.get_vpn_connections()
for vpn in vpns:
print(f"VPN: {vpn.name}")
print(f" Server: {vpn.server_address}")
print(f" Type: {vpn.type}")
# Get DNS cache information
dns_cache = analyzer.get_dns_cache_info()
# Get proxy settings
proxy = analyzer.get_proxy_settings()
if proxy.enabled:
print(f"Proxy: {proxy.server}")
# Generate network report
analyzer.generate_report("/evidence/network_history.html")
Input: SYSTEM and SOFTWARE hives
Process:
Output: System configuration details
Example:
from registry_forensics import SystemInfoAnalyzer
# Initialize system info analyzer
analyzer = SystemInfoAnalyzer(
system_path="/evidence/SYSTEM",
software_path="/evidence/SOFTWARE"
)
# Get OS information
os_info = analyzer.get_os_info()
print(f"Product: {os_info.product_name}")
print(f"Version: {os_info.version}")
print(f"Build: {os_info.build_number}")
print(f"Install date: {os_info.install_date}")
print(f"Registered owner: {os_info.registered_owner}")
print(f"Product ID: {os_info.product_id}")
# Get computer information
computer = analyzer.get_computer_info()
print(f"Computer name: {computer.name}")
print(f"Domain/Workgroup: {computer.domain}")
print(f"Last shutdown: {computer.last_shutdown}")
# Get timezone
tz = analyzer.get_timezone()
print(f"Timezone: {tz.standard_name}")
print(f"UTC offset: {tz.utc_offset}")
print(f"DST: {tz.daylight_saving}")
# Get installed software
software = analyzer.get_installed_software()
for sw in software:
print(f"Software: {sw.display_name}")
print(f" Version: {sw.version}")
print(f" Publisher: {sw.publisher}")
print(f" Install date: {sw.install_date}")
print(f" Install location: {sw.install_location}")
# Get environment variables
env_vars = analyzer.get_environment_variables()
# Get current control set
control_set = analyzer.get_current_control_set()
print(f"Current control set: {control_set}")
# Export system info report
analyzer.generate_report("/evidence/system_info.html")
Input: SAM hive
Process:
Output: User account analysis
Example:
from registry_forensics import SAMAnalyzer
# Initialize SAM analyzer
analyzer = SAMAnalyzer("/evidence/SAM")
# Get all user accounts
users = analyzer.get_users()
for user in users:
print(f"User: {user.username}")
print(f" RID: {user.rid}")
print(f" Full name: {user.full_name}")
print(f" Comment: {user.comment}")
print(f" Account type: {user.account_type}")
print(f" Created: {user.created_date}")
print(f" Last login: {user.last_login}")
print(f" Login count: {user.login_count}")
print(f" Password last set: {user.password_last_set}")
print(f" Account expires: {user.account_expires}")
print(f" Disabled: {user.disabled}")
print(f" Password required: {user.password_required}")
print(f" Password hint: {user.password_hint}")
# Get groups
groups = analyzer.get_groups()
for group in groups:
print(f"Group: {group.name}")
print(f" Members: {group.members}")
# Get administrator accounts
admins = analyzer.get_administrators()
# Get recently created accounts
recent = analyzer.get_recent_accounts(days=30)
# Export SAM report
analyzer.generate_report("/evidence/sam_analysis.html")
Input: All registry hives
Process:
Output: Malware indicator findings
Example:
from registry_forensics import MalwareScanner
# Initialize malware scanner
scanner = MalwareScanner("/evidence/registry/")
# Scan all hives
findings = scanner.scan_all()
for finding in findings:
print(f"MALWARE INDICATOR: {finding.indicator_type}")
print(f" Location: {finding.key_path}")
print(f" Value: {finding.value_name}")
print(f" Data: {finding.value_data}")
print(f" Confidence: {finding.confidence}")
print(f" Description: {finding.description}")
# Check for known malware patterns
known = scanner.check_known_patterns()
for k in known:
print(f"Known Malware: {k.malware_family}")
print(f" Match: {k.matched_pattern}")
# Find encoded/obfuscated values
encoded = scanner.find_encoded_values()
for e in encoded:
print(f"Encoded: {e.path}")
print(f" Encoding: {e.encoding_type}")
print(f" Decoded: {e.decoded_value}")
# Find suspicious executables in autorun
suspicious_exe = scanner.find_suspicious_autoruns()
# Check for fileless malware indicators
fileless = scanner.detect_fileless_indicators()
for f in fileless:
print(f"Fileless: {f.technique}")
print(f" Evidence: {f.evidence}")
# YARA scan registry values
yara_matches = scanner.yara_scan("/rules/malware.yar")
# Export findings
scanner.export_iocs("/evidence/registry_iocs.json")
scanner.generate_report("/evidence/malware_scan.html")
Input: Registry hives with timestamps
Process:
Output: Registry-based timeline
Example:
from registry_forensics import RegistryTimeline
# Initialize timeline builder
timeline = RegistryTimeline("/evidence/registry/")
# Build timeline from all hives
events = timeline.build_timeline()
for event in events:
print(f"[{event.timestamp}] {event.event_type}")
print(f" Hive: {event.hive}")
print(f" Key: {event.key_path}")
print(f" Details: {event.details}")
# Filter timeline by date range
filtered = timeline.filter_by_date(
start="2024-01-01",
end="2024-01-31"
)
# Get events around specific time
window = timeline.get_events_around(
timestamp="2024-01-15T10:30:00",
window_minutes=60
)
# Find rapid changes (potential automation)
rapid = timeline.find_rapid_changes(
threshold=10,
window_seconds=60
)
# Get activity by hour
hourly = timeline.get_hourly_distribution()
# Export timeline
timeline.export_csv("/evidence/registry_timeline.csv")
timeline.export_json("/evidence/registry_timeline.json")
timeline.generate_html_report("/evidence/registry_timeline.html")
| Variable | Description | Required | Default |
|---|---|---|---|
REGISTRY_PARSER |
Path to registry parsing library | No | Built-in |
YARA_RULES |
Path to YARA rules for scanning | No | None |
MALWARE_HASHES |
Path to malware hash database | No | None |
TIMELINE_TZ |
Timezone for timeline display | No | UTC |
| Option | Type | Description |
|---|---|---|
parse_deleted |
boolean | Attempt to recover deleted entries |
decode_values |
boolean | Auto-decode encoded values |
include_slack |
boolean | Analyze registry slack space |
parallel |
boolean | Enable parallel processing |
cache_parsed |
boolean | Cache parsed results |
Scenario: Finding malware persistence mechanisms
from registry_forensics import RegistryAnalyzer, PersistenceScanner
# Load registry hives
scanner = PersistenceScanner("/evidence/registry/")
# Get all persistence mechanisms
persistence = scanner.scan_all()
# Filter suspicious entries
suspicious = [p for p in persistence if p.risk_level >= "medium"]
for s in suspicious:
print(f"SUSPICIOUS: {s.name}")
print(f" Location: {s.location}")
print(f" Command: {s.value}")
print(f" Risk: {s.risk_level}")
print(f" Reason: {s.risk_reason}")
# Check against known malware
known = scanner.check_against_known_malware("/hashsets/malware_commands.txt")
# Generate remediation script
scanner.generate_remediation_script("/evidence/cleanup.reg")
Scenario: Reconstructing user's actions for investigation
from registry_forensics import UserActivityAnalyzer, ExecutionAnalyzer, RegistryTimeline
# Analyze user activity
activity = UserActivityAnalyzer("/evidence/NTUSER.DAT")
# Get comprehensive activity
timeline = activity.get_full_timeline()
# Add execution evidence
execution = ExecutionAnalyzer("/evidence/")
exec_timeline = execution.correlate_execution()
# Combine with registry timeline
reg_timeline = RegistryTimeline("/evidence/registry/")
# Merge all timelines
combined = reg_timeline.merge_timelines([
activity.get_timeline(),
execution.get_timeline()
])
# Export comprehensive report
combined.generate_report(
"/evidence/user_investigation.html",
include_charts=True
)
Problem: Unable to parse registry hive Solution:
Problem: Key timestamps not available Solution:
Problem: Values appear as binary/encoded Solution:
