Back to Details

registry-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Registry Forensics

注册表取证

Comprehensive Windows Registry forensics skill for analyzing registry hives to uncover user activity, malware persistence, system configuration, and evidence of program execution. Enables extraction of forensically valuable artifacts from SAM, SYSTEM, SOFTWARE, NTUSER.DAT, and other registry hives.
全面的Windows Registry取证技能,用于分析注册表配置单元,以发现用户活动、恶意软件持久化、系统配置和程序执行痕迹。支持从SAM、SYSTEM、SOFTWARE、NTUSER.DAT及其他注册表配置单元中提取具有取证价值的工件。

Capabilities

功能特性

  • Registry Hive Parsing: Parse all Windows registry hive types (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, USRCLASS.DAT)
  • Persistence Analysis: Identify autorun entries, services, and scheduled tasks
  • User Activity Tracking: Extract recent documents, typed URLs, search history
  • Program Execution: Analyze UserAssist, Shimcache, Amcache, BAM/DAM
  • USB Device History: Extract connected USB device information
  • Network History: Analyze network connection history and profiles
  • System Configuration: Extract OS version, timezone, computer name
  • Malware Indicators: Detect known malicious registry patterns
  • Timeline Generation: Create registry-based activity timeline
  • Registry Comparison: Compare registry states for change detection
  • 注册表配置单元解析:解析所有Windows注册表配置单元类型(SAM、SYSTEM、SOFTWARE、NTUSER.DAT、USRCLASS.DAT)
  • 持久化分析:识别自启动项、服务和计划任务
  • 用户活动追踪:提取最近访问的文档、输入的URL、搜索历史
  • 程序执行分析:分析UserAssist、Shimcache、Amcache、BAM/DAM
  • USB设备历史:提取已连接的USB设备信息
  • 网络历史:分析网络连接历史和配置文件
  • 系统配置提取:提取操作系统版本、时区、计算机名称
  • 恶意软件指标检测:检测已知的恶意注册表模式
  • 时间线生成:创建基于注册表的活动时间线
  • 注册表对比:对比注册表状态以检测变更

Quick Start

快速开始

python
from registry_forensics import RegistryAnalyzer, HiveParser, PersistenceScanner
python
from registry_forensics import RegistryAnalyzer, HiveParser, PersistenceScanner

Parse registry hive

Parse registry hive

parser = HiveParser("/evidence/NTUSER.DAT")
parser = HiveParser("/evidence/NTUSER.DAT")

Get all keys

Get all keys

keys = parser.get_all_keys()
keys = parser.get_all_keys()

Scan for persistence

Scan for persistence

scanner = PersistenceScanner("/evidence/") persistence = scanner.scan_all_hives()
scanner = PersistenceScanner("/evidence/") persistence = scanner.scan_all_hives()

Analyze user activity

Analyze user activity

analyzer = RegistryAnalyzer("/evidence/") activity = analyzer.get_user_activity()
undefined
analyzer = RegistryAnalyzer("/evidence/") activity = analyzer.get_user_activity()
undefined

Usage

使用指南

Task 1: Registry Hive Parsing

任务1:注册表配置单元解析

Input: Registry hive file
Process:
  1. Load and validate hive file
  2. Parse hive structure
  3. Enumerate keys and values
  4. Extract metadata
  5. Generate hive summary
Output: Parsed registry structure
Example:
python
from registry_forensics import HiveParser
输入:注册表配置单元文件
处理流程:
  1. 加载并验证配置单元文件
  2. 解析配置单元结构
  3. 枚举键和值
  4. 提取元数据
  5. 生成配置单元摘要
输出:解析后的注册表结构
示例:
python
from registry_forensics import HiveParser

Parse NTUSER.DAT hive

Parse NTUSER.DAT hive

parser = HiveParser("/evidence/NTUSER.DAT")
parser = HiveParser("/evidence/NTUSER.DAT")

Get hive metadata

Get hive metadata

info = parser.get_hive_info() print(f"Hive type: {info.hive_type}") print(f"Last written: {info.last_written}") print(f"Root key: {info.root_key}")
info = parser.get_hive_info() print(f"Hive type: {info.hive_type}") print(f"Last written: {info.last_written}") print(f"Root key: {info.root_key}")

Get all subkeys of a key

Get all subkeys of a key

subkeys = parser.get_subkeys("Software\Microsoft\Windows\CurrentVersion") for key in subkeys: print(f"Key: {key.name}") print(f" Last modified: {key.last_modified}") print(f" Values: {key.value_count}")
subkeys = parser.get_subkeys("Software\Microsoft\Windows\CurrentVersion") for key in subkeys: print(f"Key: {key.name}") print(f" Last modified: {key.last_modified}") print(f" Values: {key.value_count}")

Get specific value

Get specific value

value = parser.get_value( "Software\Microsoft\Windows\CurrentVersion\Explorer", "Shell Folders" ) print(f"Value: {value.name} = {value.data}")
value = parser.get_value( "Software\Microsoft\Windows\CurrentVersion\Explorer", "Shell Folders" ) print(f"Value: {value.name} = {value.data}")

Search for keys/values

Search for keys/values

results = parser.search("password", include_values=True) for r in results: print(f"Found: {r.path}")
results = parser.search("password", include_values=True) for r in results: print(f"Found: {r.path}")

Export key to REG file

Export key to REG file

parser.export_key( "Software\Microsoft\Windows\CurrentVersion\Run", "/evidence/run_key.reg" )
parser.export_key( "Software\Microsoft\Windows\CurrentVersion\Run", "/evidence/run_key.reg" )

Get all values recursively

Get all values recursively

all_values = parser.get_all_values(recursive=True)
undefined
all_values = parser.get_all_values(recursive=True)
undefined

Task 2: Persistence Mechanism Analysis

任务2:持久化机制分析

Input: Registry hives (SOFTWARE, NTUSER.DAT, SYSTEM)
Process:
  1. Load relevant hives
  2. Check common persistence locations
  3. Analyze autorun entries
  4. Identify suspicious entries
  5. Correlate with known malware
Output: Persistence mechanism inventory
Example:
python
from registry_forensics import PersistenceScanner
输入:注册表配置单元(SOFTWARE、NTUSER.DAT、SYSTEM)
处理流程:
  1. 加载相关配置单元
  2. 检查常见持久化位置
  3. 分析自启动项
  4. 识别可疑条目
  5. 关联已知恶意软件
输出:持久化机制清单
示例:
python
from registry_forensics import PersistenceScanner

Initialize scanner with evidence directory

Initialize scanner with evidence directory

scanner = PersistenceScanner("/evidence/registry/")
scanner = PersistenceScanner("/evidence/registry/")

Scan all persistence locations

Scan all persistence locations

persistence = scanner.scan_all()
for p in persistence: print(f"Persistence: {p.location}") print(f" Name: {p.name}") print(f" Value: {p.value}") print(f" Type: {p.persistence_type}") print(f" Risk: {p.risk_level}")
persistence = scanner.scan_all()
for p in persistence: print(f"Persistence: {p.location}") print(f" Name: {p.name}") print(f" Value: {p.value}") print(f" Type: {p.persistence_type}") print(f" Risk: {p.risk_level}")

Get Run key entries

Get Run key entries

run_entries = scanner.get_run_keys() for entry in run_entries: print(f"Run: {entry.name} = {entry.command}") print(f" Hive: {entry.hive}") print(f" User: {entry.user}")
run_entries = scanner.get_run_keys() for entry in run_entries: print(f"Run: {entry.name} = {entry.command}") print(f" Hive: {entry.hive}") print(f" User: {entry.user}")

Get services

Get services

services = scanner.get_services() for svc in services: print(f"Service: {svc.name}") print(f" Display: {svc.display_name}") print(f" Path: {svc.image_path}") print(f" Start type: {svc.start_type}") print(f" Account: {svc.service_account}")
services = scanner.get_services() for svc in services: print(f"Service: {svc.name}") print(f" Display: {svc.display_name}") print(f" Path: {svc.image_path}") print(f" Start type: {svc.start_type}") print(f" Account: {svc.service_account}")

Get scheduled tasks (from registry)

Get scheduled tasks (from registry)

tasks = scanner.get_scheduled_tasks()
tasks = scanner.get_scheduled_tasks()

Get shell extensions

Get shell extensions

extensions = scanner.get_shell_extensions()
extensions = scanner.get_shell_extensions()

Get browser helper objects

Get browser helper objects

bhos = scanner.get_browser_helpers()
bhos = scanner.get_browser_helpers()

Detect suspicious persistence

Detect suspicious persistence

suspicious = scanner.find_suspicious() for s in suspicious: print(f"SUSPICIOUS: {s.location}") print(f" Reason: {s.reason}")
suspicious = scanner.find_suspicious() for s in suspicious: print(f"SUSPICIOUS: {s.location}") print(f" Reason: {s.reason}")

Export report

Export report

scanner.generate_report("/evidence/persistence_report.html")
undefined
scanner.generate_report("/evidence/persistence_report.html")
undefined

Task 3: User Activity Analysis

任务3:用户活动分析

Input: NTUSER.DAT and USRCLASS.DAT hives
Process:
  1. Parse user registry hives
  2. Extract recent documents
  3. Get typed paths and URLs
  4. Analyze search history
  5. Extract user preferences
Output: User activity summary
Example:
python
from registry_forensics import UserActivityAnalyzer
输入:NTUSER.DAT和USRCLASS.DAT配置单元
处理流程:
  1. 解析用户注册表配置单元
  2. 提取最近访问的文档
  3. 获取输入的路径和URL
  4. 分析搜索历史
  5. 提取用户偏好设置
输出:用户活动摘要
示例:
python
from registry_forensics import UserActivityAnalyzer

Analyze user's registry

Analyze user's registry

analyzer = UserActivityAnalyzer( ntuser_path="/evidence/NTUSER.DAT", usrclass_path="/evidence/USRCLASS.DAT" )
analyzer = UserActivityAnalyzer( ntuser_path="/evidence/NTUSER.DAT", usrclass_path="/evidence/USRCLASS.DAT" )

Get recent documents (MRU lists)

Get recent documents (MRU lists)

recent_docs = analyzer.get_recent_documents() for doc in recent_docs: print(f"Recent: {doc.filename}") print(f" Path: {doc.path}") print(f" Last access: {doc.last_access}") print(f" MRU source: {doc.source}")
recent_docs = analyzer.get_recent_documents() for doc in recent_docs: print(f"Recent: {doc.filename}") print(f" Path: {doc.path}") print(f" Last access: {doc.last_access}") print(f" MRU source: {doc.source}")

Get typed paths (Explorer address bar)

Get typed paths (Explorer address bar)

typed_paths = analyzer.get_typed_paths() for path in typed_paths: print(f"Typed path: {path.value}") print(f" Timestamp: {path.timestamp}")
typed_paths = analyzer.get_typed_paths() for path in typed_paths: print(f"Typed path: {path.value}") print(f" Timestamp: {path.timestamp}")

Get typed URLs (IE/Edge)

Get typed URLs (IE/Edge)

typed_urls = analyzer.get_typed_urls() for url in typed_urls: print(f"URL: {url.value}")
typed_urls = analyzer.get_typed_urls() for url in typed_urls: print(f"URL: {url.value}")

Get search history (WordWheelQuery)

Get search history (WordWheelQuery)

searches = analyzer.get_search_history() for search in searches: print(f"Search: {search.query}") print(f" Timestamp: {search.timestamp}")
searches = analyzer.get_search_history() for search in searches: print(f"Search: {search.query}") print(f" Timestamp: {search.timestamp}")

Get recently opened/saved dialogs

Get recently opened/saved dialogs

dialogs = analyzer.get_dialog_history() for d in dialogs: print(f"Dialog: {d.application}") print(f" Path: {d.last_path}")
dialogs = analyzer.get_dialog_history() for d in dialogs: print(f"Dialog: {d.application}") print(f" Path: {d.last_path}")

Get mapped network drives

Get mapped network drives

network_drives = analyzer.get_network_drives()
network_drives = analyzer.get_network_drives()

Get user's shell bags

Get user's shell bags

shellbags = analyzer.get_shellbags() for bag in shellbags: print(f"ShellBag: {bag.path}") print(f" First access: {bag.first_accessed}") print(f" Last access: {bag.last_accessed}") print(f" Access count: {bag.access_count}")
shellbags = analyzer.get_shellbags() for bag in shellbags: print(f"ShellBag: {bag.path}") print(f" First access: {bag.first_accessed}") print(f" Last access: {bag.last_accessed}") print(f" Access count: {bag.access_count}")

Generate user activity report

Generate user activity report

analyzer.generate_report("/evidence/user_activity.html")
undefined
analyzer.generate_report("/evidence/user_activity.html")
undefined

Task 4: Program Execution Analysis

任务4:程序执行分析

Input: Multiple registry hives
Process:
  1. Parse UserAssist entries
  2. Analyze Shimcache
  3. Parse Amcache
  4. Check BAM/DAM
  5. Correlate execution evidence
Output: Program execution history
Example:
python
from registry_forensics import ExecutionAnalyzer
输入:多个注册表配置单元
处理流程:
  1. 解析UserAssist条目
  2. 分析Shimcache
  3. 解析Amcache
  4. 检查BAM/DAM
  5. 关联执行痕迹
输出:程序执行历史
示例:
python
from registry_forensics import ExecutionAnalyzer

Initialize execution analyzer

Initialize execution analyzer

analyzer = ExecutionAnalyzer( ntuser_path="/evidence/NTUSER.DAT", system_path="/evidence/SYSTEM", amcache_path="/evidence/Amcache.hve" )
analyzer = ExecutionAnalyzer( ntuser_path="/evidence/NTUSER.DAT", system_path="/evidence/SYSTEM", amcache_path="/evidence/Amcache.hve" )

Get UserAssist data

Get UserAssist data

userassist = analyzer.get_userassist() for entry in userassist: print(f"Program: {entry.name}") print(f" Run count: {entry.run_count}") print(f" Last run: {entry.last_run}") print(f" Focus time: {entry.focus_time}")
userassist = analyzer.get_userassist() for entry in userassist: print(f"Program: {entry.name}") print(f" Run count: {entry.run_count}") print(f" Last run: {entry.last_run}") print(f" Focus time: {entry.focus_time}")

Get Shimcache entries

Get Shimcache entries

shimcache = analyzer.get_shimcache() for entry in shimcache: print(f"Shimcache: {entry.path}") print(f" Last modified: {entry.last_modified}") print(f" Executed: {entry.executed}")
shimcache = analyzer.get_shimcache() for entry in shimcache: print(f"Shimcache: {entry.path}") print(f" Last modified: {entry.last_modified}") print(f" Executed: {entry.executed}")

Get Amcache entries

Get Amcache entries

amcache = analyzer.get_amcache() for entry in amcache: print(f"Amcache: {entry.filename}") print(f" Path: {entry.full_path}") print(f" SHA1: {entry.sha1}") print(f" First run: {entry.first_run}") print(f" Publisher: {entry.publisher}")
amcache = analyzer.get_amcache() for entry in amcache: print(f"Amcache: {entry.filename}") print(f" Path: {entry.full_path}") print(f" SHA1: {entry.sha1}") print(f" First run: {entry.first_run}") print(f" Publisher: {entry.publisher}")

Get BAM/DAM data (Background Activity Monitor)

Get BAM/DAM data (Background Activity Monitor)

bam = analyzer.get_bam_dam() for entry in bam: print(f"BAM: {entry.executable}") print(f" User: {entry.user_sid}") print(f" Last execution: {entry.last_execution}")
bam = analyzer.get_bam_dam() for entry in bam: print(f"BAM: {entry.executable}") print(f" User: {entry.user_sid}") print(f" Last execution: {entry.last_execution}")

Get AppCompatFlags

Get AppCompatFlags

appcompat = analyzer.get_appcompat_flags()
appcompat = analyzer.get_appcompat_flags()

Get MUICache (executed programs with GUIs)

Get MUICache (executed programs with GUIs)

muicache = analyzer.get_muicache()
muicache = analyzer.get_muicache()

Correlate all execution evidence

Correlate all execution evidence

correlated = analyzer.correlate_execution() for prog in correlated: print(f"Execution: {prog.name}") print(f" Evidence sources: {prog.sources}") print(f" First seen: {prog.first_seen}") print(f" Last seen: {prog.last_seen}") print(f" Run count: {prog.estimated_runs}")
correlated = analyzer.correlate_execution() for prog in correlated: print(f"Execution: {prog.name}") print(f" Evidence sources: {prog.sources}") print(f" First seen: {prog.first_seen}") print(f" Last seen: {prog.last_seen}") print(f" Run count: {prog.estimated_runs}")

Export execution timeline

Export execution timeline

analyzer.export_timeline("/evidence/execution_timeline.csv")
undefined
analyzer.export_timeline("/evidence/execution_timeline.csv")
undefined

Task 5: USB Device History

任务5:USB设备历史分析

Input: SYSTEM and SOFTWARE hives
Process:
  1. Parse USB device entries
  2. Extract device details
  3. Determine first/last connection
  4. Map to volume information
  5. Identify device owners
Output: USB device connection history
Example:
python
from registry_forensics import USBAnalyzer
输入:SYSTEM和SOFTWARE配置单元
处理流程:
  1. 解析USB设备条目
  2. 提取设备详情
  3. 确定首次/最后连接时间
  4. 关联卷信息
  5. 识别设备所有者
输出:USB设备连接历史
示例:
python
from registry_forensics import USBAnalyzer

Initialize USB analyzer

Initialize USB analyzer

analyzer = USBAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )
analyzer = USBAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )

Get all USB devices

Get all USB devices

devices = analyzer.get_all_devices()
for device in devices: print(f"USB Device: {device.friendly_name}") print(f" Vendor ID: {device.vendor_id}") print(f" Product ID: {device.product_id}") print(f" Serial Number: {device.serial_number}") print(f" First connected: {device.first_connected}") print(f" Last connected: {device.last_connected}") print(f" Volume GUID: {device.volume_guid}") print(f" Drive letter: {device.drive_letter}") print(f" User: {device.user_account}")
devices = analyzer.get_all_devices()
for device in devices: print(f"USB Device: {device.friendly_name}") print(f" Vendor ID: {device.vendor_id}") print(f" Product ID: {device.product_id}") print(f" Serial Number: {device.serial_number}") print(f" First connected: {device.first_connected}") print(f" Last connected: {device.last_connected}") print(f" Volume GUID: {device.volume_guid}") print(f" Drive letter: {device.drive_letter}") print(f" User: {device.user_account}")

Get USB storage devices specifically

Get USB storage devices specifically

storage = analyzer.get_usb_storage() for s in storage: print(f"Storage: {s.friendly_name}") print(f" Capacity: {s.capacity_bytes}")
storage = analyzer.get_usb_storage() for s in storage: print(f"Storage: {s.friendly_name}") print(f" Capacity: {s.capacity_bytes}")

Get mounted devices

Get mounted devices

mounted = analyzer.get_mounted_devices()
mounted = analyzer.get_mounted_devices()

Get device setup classes

Get device setup classes

setup = analyzer.get_device_setup()
setup = analyzer.get_device_setup()

Correlate with NTUSER for user mapping

Correlate with NTUSER for user mapping

analyzer.add_ntuser("/evidence/NTUSER.DAT") user_devices = analyzer.get_user_device_history()
analyzer.add_ntuser("/evidence/NTUSER.DAT") user_devices = analyzer.get_user_device_history()

Generate USB history report

Generate USB history report

analyzer.generate_report("/evidence/usb_history.html")
undefined
analyzer.generate_report("/evidence/usb_history.html")
undefined

Task 6: Network Configuration Analysis

任务6:网络配置分析

Input: SYSTEM and SOFTWARE hives
Process:
  1. Parse network profiles
  2. Extract connection history
  3. Get interface configuration
  4. Analyze wireless networks
  5. Check VPN configurations
Output: Network configuration and history
Example:
python
from registry_forensics import NetworkAnalyzer
输入:SYSTEM和SOFTWARE配置单元
处理流程:
  1. 解析网络配置文件
  2. 提取连接历史
  3. 获取接口配置
  4. 分析无线网络
  5. 检查VPN配置
输出:网络配置与历史记录
示例:
python
from registry_forensics import NetworkAnalyzer

Initialize network analyzer

Initialize network analyzer

analyzer = NetworkAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )
analyzer = NetworkAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )

Get network interfaces

Get network interfaces

interfaces = analyzer.get_interfaces() for iface in interfaces: print(f"Interface: {iface.name}") print(f" Type: {iface.type}") print(f" MAC: {iface.mac_address}") print(f" DHCP: {iface.dhcp_enabled}") print(f" IP: {iface.ip_address}")
interfaces = analyzer.get_interfaces() for iface in interfaces: print(f"Interface: {iface.name}") print(f" Type: {iface.type}") print(f" MAC: {iface.mac_address}") print(f" DHCP: {iface.dhcp_enabled}") print(f" IP: {iface.ip_address}")

Get network profiles

Get network profiles

profiles = analyzer.get_network_profiles() for p in profiles: print(f"Profile: {p.name}") print(f" First connected: {p.first_connected}") print(f" Last connected: {p.last_connected}") print(f" Type: {p.network_type}") print(f" Category: {p.category}")
profiles = analyzer.get_network_profiles() for p in profiles: print(f"Profile: {p.name}") print(f" First connected: {p.first_connected}") print(f" Last connected: {p.last_connected}") print(f" Type: {p.network_type}") print(f" Category: {p.category}")

Get wireless network history

Get wireless network history

wireless = analyzer.get_wireless_networks() for w in wireless: print(f"SSID: {w.ssid}") print(f" Authentication: {w.authentication}") print(f" First seen: {w.first_connected}")
wireless = analyzer.get_wireless_networks() for w in wireless: print(f"SSID: {w.ssid}") print(f" Authentication: {w.authentication}") print(f" First seen: {w.first_connected}")

Get VPN configurations

Get VPN configurations

vpns = analyzer.get_vpn_connections() for vpn in vpns: print(f"VPN: {vpn.name}") print(f" Server: {vpn.server_address}") print(f" Type: {vpn.type}")
vpns = analyzer.get_vpn_connections() for vpn in vpns: print(f"VPN: {vpn.name}") print(f" Server: {vpn.server_address}") print(f" Type: {vpn.type}")

Get DNS cache information

Get DNS cache information

dns_cache = analyzer.get_dns_cache_info()
dns_cache = analyzer.get_dns_cache_info()

Get proxy settings

Get proxy settings

proxy = analyzer.get_proxy_settings() if proxy.enabled: print(f"Proxy: {proxy.server}")
proxy = analyzer.get_proxy_settings() if proxy.enabled: print(f"Proxy: {proxy.server}")

Generate network report

Generate network report

analyzer.generate_report("/evidence/network_history.html")
undefined
analyzer.generate_report("/evidence/network_history.html")
undefined

Task 7: System Information Extraction

任务7:系统信息提取

Input: SYSTEM and SOFTWARE hives
Process:
  1. Extract OS information
  2. Get computer name/domain
  3. Extract timezone
  4. Get installed software
  5. Determine system configuration
Output: System configuration details
Example:
python
from registry_forensics import SystemInfoAnalyzer
输入:SYSTEM和SOFTWARE配置单元
处理流程:
  1. 提取操作系统信息
  2. 获取计算机名称/域
  3. 提取时区信息
  4. 获取已安装软件
  5. 确定系统配置
输出:系统配置详情
示例:
python
from registry_forensics import SystemInfoAnalyzer

Initialize system info analyzer

Initialize system info analyzer

analyzer = SystemInfoAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )
analyzer = SystemInfoAnalyzer( system_path="/evidence/SYSTEM", software_path="/evidence/SOFTWARE" )

Get OS information

Get OS information

os_info = analyzer.get_os_info() print(f"Product: {os_info.product_name}") print(f"Version: {os_info.version}") print(f"Build: {os_info.build_number}") print(f"Install date: {os_info.install_date}") print(f"Registered owner: {os_info.registered_owner}") print(f"Product ID: {os_info.product_id}")
os_info = analyzer.get_os_info() print(f"Product: {os_info.product_name}") print(f"Version: {os_info.version}") print(f"Build: {os_info.build_number}") print(f"Install date: {os_info.install_date}") print(f"Registered owner: {os_info.registered_owner}") print(f"Product ID: {os_info.product_id}")

Get computer information

Get computer information

computer = analyzer.get_computer_info() print(f"Computer name: {computer.name}") print(f"Domain/Workgroup: {computer.domain}") print(f"Last shutdown: {computer.last_shutdown}")
computer = analyzer.get_computer_info() print(f"Computer name: {computer.name}") print(f"Domain/Workgroup: {computer.domain}") print(f"Last shutdown: {computer.last_shutdown}")

Get timezone

Get timezone

tz = analyzer.get_timezone() print(f"Timezone: {tz.standard_name}") print(f"UTC offset: {tz.utc_offset}") print(f"DST: {tz.daylight_saving}")
tz = analyzer.get_timezone() print(f"Timezone: {tz.standard_name}") print(f"UTC offset: {tz.utc_offset}") print(f"DST: {tz.daylight_saving}")

Get installed software

Get installed software

software = analyzer.get_installed_software() for sw in software: print(f"Software: {sw.display_name}") print(f" Version: {sw.version}") print(f" Publisher: {sw.publisher}") print(f" Install date: {sw.install_date}") print(f" Install location: {sw.install_location}")
software = analyzer.get_installed_software() for sw in software: print(f"Software: {sw.display_name}") print(f" Version: {sw.version}") print(f" Publisher: {sw.publisher}") print(f" Install date: {sw.install_date}") print(f" Install location: {sw.install_location}")

Get environment variables

Get environment variables

env_vars = analyzer.get_environment_variables()
env_vars = analyzer.get_environment_variables()

Get current control set

Get current control set

control_set = analyzer.get_current_control_set() print(f"Current control set: {control_set}")
control_set = analyzer.get_current_control_set() print(f"Current control set: {control_set}")

Export system info report

Export system info report

analyzer.generate_report("/evidence/system_info.html")
undefined
analyzer.generate_report("/evidence/system_info.html")
undefined

Task 8: SAM Analysis (User Accounts)

任务8:SAM分析(用户账户)

Input: SAM hive
Process:
  1. Parse SAM hive
  2. Extract user accounts
  3. Get account metadata
  4. Analyze login information
  5. Extract password hints
Output: User account analysis
Example:
python
from registry_forensics import SAMAnalyzer
输入:SAM配置单元
处理流程:
  1. 解析SAM配置单元
  2. 提取用户账户
  3. 获取账户元数据
  4. 分析登录信息
  5. 提取密码提示
输出:用户账户分析结果
示例:
python
from registry_forensics import SAMAnalyzer

Initialize SAM analyzer

Initialize SAM analyzer

analyzer = SAMAnalyzer("/evidence/SAM")
analyzer = SAMAnalyzer("/evidence/SAM")

Get all user accounts

Get all user accounts

users = analyzer.get_users()
for user in users: print(f"User: {user.username}") print(f" RID: {user.rid}") print(f" Full name: {user.full_name}") print(f" Comment: {user.comment}") print(f" Account type: {user.account_type}") print(f" Created: {user.created_date}") print(f" Last login: {user.last_login}") print(f" Login count: {user.login_count}") print(f" Password last set: {user.password_last_set}") print(f" Account expires: {user.account_expires}") print(f" Disabled: {user.disabled}") print(f" Password required: {user.password_required}") print(f" Password hint: {user.password_hint}")
users = analyzer.get_users()
for user in users: print(f"User: {user.username}") print(f" RID: {user.rid}") print(f" Full name: {user.full_name}") print(f" Comment: {user.comment}") print(f" Account type: {user.account_type}") print(f" Created: {user.created_date}") print(f" Last login: {user.last_login}") print(f" Login count: {user.login_count}") print(f" Password last set: {user.password_last_set}") print(f" Account expires: {user.account_expires}") print(f" Disabled: {user.disabled}") print(f" Password required: {user.password_required}") print(f" Password hint: {user.password_hint}")

Get groups

Get groups

groups = analyzer.get_groups() for group in groups: print(f"Group: {group.name}") print(f" Members: {group.members}")
groups = analyzer.get_groups() for group in groups: print(f"Group: {group.name}") print(f" Members: {group.members}")

Get administrator accounts

Get administrator accounts

admins = analyzer.get_administrators()
admins = analyzer.get_administrators()

Get recently created accounts

Get recently created accounts

recent = analyzer.get_recent_accounts(days=30)
recent = analyzer.get_recent_accounts(days=30)

Export SAM report

Export SAM report

analyzer.generate_report("/evidence/sam_analysis.html")
undefined
analyzer.generate_report("/evidence/sam_analysis.html")
undefined

Task 9: Malware Detection in Registry

任务9:注册表中的恶意软件检测

Input: All registry hives
Process:
  1. Scan for known malware indicators
  2. Check suspicious key patterns
  3. Analyze encoded values
  4. Detect obfuscation
  5. Generate IOCs
Output: Malware indicator findings
Example:
python
from registry_forensics import MalwareScanner
输入:所有注册表配置单元
处理流程:
  1. 扫描已知恶意软件指标
  2. 检查可疑键模式
  3. 分析编码值
  4. 检测混淆手段
  5. 生成IOCs
输出:恶意软件指标检测结果
示例:
python
from registry_forensics import MalwareScanner

Initialize malware scanner

Initialize malware scanner

scanner = MalwareScanner("/evidence/registry/")
scanner = MalwareScanner("/evidence/registry/")

Scan all hives

Scan all hives

findings = scanner.scan_all()
for finding in findings: print(f"MALWARE INDICATOR: {finding.indicator_type}") print(f" Location: {finding.key_path}") print(f" Value: {finding.value_name}") print(f" Data: {finding.value_data}") print(f" Confidence: {finding.confidence}") print(f" Description: {finding.description}")
findings = scanner.scan_all()
for finding in findings: print(f"MALWARE INDICATOR: {finding.indicator_type}") print(f" Location: {finding.key_path}") print(f" Value: {finding.value_name}") print(f" Data: {finding.value_data}") print(f" Confidence: {finding.confidence}") print(f" Description: {finding.description}")

Check for known malware patterns

Check for known malware patterns

known = scanner.check_known_patterns() for k in known: print(f"Known Malware: {k.malware_family}") print(f" Match: {k.matched_pattern}")
known = scanner.check_known_patterns() for k in known: print(f"Known Malware: {k.malware_family}") print(f" Match: {k.matched_pattern}")

Find encoded/obfuscated values

Find encoded/obfuscated values

encoded = scanner.find_encoded_values() for e in encoded: print(f"Encoded: {e.path}") print(f" Encoding: {e.encoding_type}") print(f" Decoded: {e.decoded_value}")
encoded = scanner.find_encoded_values() for e in encoded: print(f"Encoded: {e.path}") print(f" Encoding: {e.encoding_type}") print(f" Decoded: {e.decoded_value}")

Find suspicious executables in autorun

Find suspicious executables in autorun

suspicious_exe = scanner.find_suspicious_autoruns()
suspicious_exe = scanner.find_suspicious_autoruns()

Check for fileless malware indicators

Check for fileless malware indicators

fileless = scanner.detect_fileless_indicators() for f in fileless: print(f"Fileless: {f.technique}") print(f" Evidence: {f.evidence}")
fileless = scanner.detect_fileless_indicators() for f in fileless: print(f"Fileless: {f.technique}") print(f" Evidence: {f.evidence}")

YARA scan registry values

YARA scan registry values

yara_matches = scanner.yara_scan("/rules/malware.yar")
yara_matches = scanner.yara_scan("/rules/malware.yar")

Export findings

Export findings

scanner.export_iocs("/evidence/registry_iocs.json") scanner.generate_report("/evidence/malware_scan.html")
undefined
scanner.export_iocs("/evidence/registry_iocs.json") scanner.generate_report("/evidence/malware_scan.html")
undefined

Task 10: Registry Timeline Generation

任务10:注册表时间线生成

Input: Registry hives with timestamps
Process:
  1. Extract key last-write times
  2. Correlate temporal data
  3. Build activity timeline
  4. Identify suspicious timing
  5. Export timeline
Output: Registry-based timeline
Example:
python
from registry_forensics import RegistryTimeline
输入:带时间戳的注册表配置单元
处理流程:
  1. 提取键的最后写入时间
  2. 关联时间数据
  3. 构建活动时间线
  4. 识别可疑时间点
  5. 导出时间线
输出:基于注册表的时间线
示例:
python
from registry_forensics import RegistryTimeline

Initialize timeline builder

Initialize timeline builder

timeline = RegistryTimeline("/evidence/registry/")
timeline = RegistryTimeline("/evidence/registry/")

Build timeline from all hives

Build timeline from all hives

events = timeline.build_timeline()
for event in events: print(f"[{event.timestamp}] {event.event_type}") print(f" Hive: {event.hive}") print(f" Key: {event.key_path}") print(f" Details: {event.details}")
events = timeline.build_timeline()
for event in events: print(f"[{event.timestamp}] {event.event_type}") print(f" Hive: {event.hive}") print(f" Key: {event.key_path}") print(f" Details: {event.details}")

Filter timeline by date range

Filter timeline by date range

filtered = timeline.filter_by_date( start="2024-01-01", end="2024-01-31" )
filtered = timeline.filter_by_date( start="2024-01-01", end="2024-01-31" )

Get events around specific time

Get events around specific time

window = timeline.get_events_around( timestamp="2024-01-15T10:30:00", window_minutes=60 )
window = timeline.get_events_around( timestamp="2024-01-15T10:30:00", window_minutes=60 )

Find rapid changes (potential automation)

Find rapid changes (potential automation)

rapid = timeline.find_rapid_changes( threshold=10, window_seconds=60 )
rapid = timeline.find_rapid_changes( threshold=10, window_seconds=60 )

Get activity by hour

Get activity by hour

hourly = timeline.get_hourly_distribution()
hourly = timeline.get_hourly_distribution()

Export timeline

Export timeline

timeline.export_csv("/evidence/registry_timeline.csv") timeline.export_json("/evidence/registry_timeline.json") timeline.generate_html_report("/evidence/registry_timeline.html")
undefined
timeline.export_csv("/evidence/registry_timeline.csv") timeline.export_json("/evidence/registry_timeline.json") timeline.generate_html_report("/evidence/registry_timeline.html")
undefined

Configuration

配置

Environment Variables

环境变量

VariableDescriptionRequiredDefault
REGISTRY_PARSER
Path to registry parsing libraryNoBuilt-in
YARA_RULES
Path to YARA rules for scanningNoNone
MALWARE_HASHES
Path to malware hash databaseNoNone
TIMELINE_TZ
Timezone for timeline displayNoUTC
变量描述是否必填默认值
REGISTRY_PARSER
注册表解析库路径内置
YARA_RULES
扫描用YARA规则路径
MALWARE_HASHES
恶意软件哈希数据库路径
TIMELINE_TZ
时间线显示用时区UTC

Options

选项

OptionTypeDescription
parse_deleted
booleanAttempt to recover deleted entries
decode_values
booleanAuto-decode encoded values
include_slack
booleanAnalyze registry slack space
parallel
booleanEnable parallel processing
cache_parsed
booleanCache parsed results
选项类型描述
parse_deleted
布尔值尝试恢复已删除条目
decode_values
布尔值自动解码编码值
include_slack
布尔值分析注册表松弛空间
parallel
布尔值启用并行处理
cache_parsed
布尔值缓存解析结果

Examples

示例场景

Example 1: Malware Persistence Investigation

示例1:恶意软件持久化调查

Scenario: Finding malware persistence mechanisms
python
from registry_forensics import RegistryAnalyzer, PersistenceScanner
场景:查找恶意软件持久化机制
python
from registry_forensics import RegistryAnalyzer, PersistenceScanner

Load registry hives

Load registry hives

scanner = PersistenceScanner("/evidence/registry/")
scanner = PersistenceScanner("/evidence/registry/")

Get all persistence mechanisms

Get all persistence mechanisms

persistence = scanner.scan_all()
persistence = scanner.scan_all()

Filter suspicious entries

Filter suspicious entries

suspicious = [p for p in persistence if p.risk_level >= "medium"]
for s in suspicious: print(f"SUSPICIOUS: {s.name}") print(f" Location: {s.location}") print(f" Command: {s.value}") print(f" Risk: {s.risk_level}") print(f" Reason: {s.risk_reason}")
suspicious = [p for p in persistence if p.risk_level >= "medium"]
for s in suspicious: print(f"SUSPICIOUS: {s.name}") print(f" Location: {s.location}") print(f" Command: {s.value}") print(f" Risk: {s.risk_level}") print(f" Reason: {s.risk_reason}")

Check against known malware

Check against known malware

known = scanner.check_against_known_malware("/hashsets/malware_commands.txt")
known = scanner.check_against_known_malware("/hashsets/malware_commands.txt")

Generate remediation script

Generate remediation script

scanner.generate_remediation_script("/evidence/cleanup.reg")
undefined
scanner.generate_remediation_script("/evidence/cleanup.reg")
undefined

Example 2: User Activity Reconstruction

示例2:用户活动重建

Scenario: Reconstructing user's actions for investigation
python
from registry_forensics import UserActivityAnalyzer, ExecutionAnalyzer, RegistryTimeline
场景:重建用户操作痕迹用于调查
python
from registry_forensics import UserActivityAnalyzer, ExecutionAnalyzer, RegistryTimeline

Analyze user activity

Analyze user activity

activity = UserActivityAnalyzer("/evidence/NTUSER.DAT")
activity = UserActivityAnalyzer("/evidence/NTUSER.DAT")

Get comprehensive activity

Get comprehensive activity

timeline = activity.get_full_timeline()
timeline = activity.get_full_timeline()

Add execution evidence

Add execution evidence

execution = ExecutionAnalyzer("/evidence/") exec_timeline = execution.correlate_execution()
execution = ExecutionAnalyzer("/evidence/") exec_timeline = execution.correlate_execution()

Combine with registry timeline

Combine with registry timeline

reg_timeline = RegistryTimeline("/evidence/registry/")
reg_timeline = RegistryTimeline("/evidence/registry/")

Merge all timelines

Merge all timelines

combined = reg_timeline.merge_timelines([ activity.get_timeline(), execution.get_timeline() ])
combined = reg_timeline.merge_timelines([ activity.get_timeline(), execution.get_timeline() ])

Export comprehensive report

Export comprehensive report

combined.generate_report( "/evidence/user_investigation.html", include_charts=True )
undefined
combined.generate_report( "/evidence/user_investigation.html", include_charts=True )
undefined

Limitations

局限性

  • Deleted registry entries may not be recoverable
  • Some hives may be locked on live systems
  • Timestamp precision limited to 100-nanosecond intervals
  • Transaction logs required for full recovery
  • Anti-forensics may hide registry artifacts
  • Large hives may require significant memory
  • Some encoding may not be automatically detected
  • 已删除的注册表条目可能无法恢复
  • 实时系统上部分配置单元可能被锁定
  • 时间戳精度限制为100纳秒间隔
  • 完整恢复需要事务日志
  • 反取证手段可能隐藏注册表工件
  • 大型配置单元可能需要大量内存
  • 部分编码可能无法自动检测

Troubleshooting

故障排除

Common Issue 1: Hive Parsing Failure

常见问题1:配置单元解析失败

Problem: Unable to parse registry hive Solution:
  • Check hive file integrity
  • Ensure complete extraction
  • Try alternative parser
问题:无法解析注册表配置单元 解决方案:
  • 检查配置单元文件完整性
  • 确保已完整提取配置单元
  • 尝试使用替代解析器

Common Issue 2: Missing Timestamps

常见问题2:缺少时间戳

Problem: Key timestamps not available Solution:
  • Timestamps only on keys, not values
  • Check for dirty hive (unsaved changes)
  • Analyze transaction logs
问题:键的时间戳不可用 解决方案:
  • 时间戳仅存在于键上,值没有时间戳
  • 检查是否为脏配置单元(未保存的变更)
  • 分析事务日志

Common Issue 3: Encoded Values Not Decoded

常见问题3:编码值未解码

Problem: Values appear as binary/encoded Solution:
  • Enable decode_values option
  • Check for ROT13, Base64, XOR encoding
  • Manually inspect suspicious values
问题:值显示为二进制/编码格式 解决方案:
  • 启用decode_values选项
  • 检查是否为ROT13、Base64、XOR编码
  • 手动检查可疑值

Related Skills

相关技能

  • disk-forensics: Extract registry hives from disk
  • memory-forensics: Extract registry from memory
  • timeline-forensics: Integrate registry timeline
  • malware-forensics: Analyze malware samples
  • log-forensics: Correlate with event logs
  • disk-forensics: 从磁盘提取注册表配置单元
  • memory-forensics: 从内存中提取注册表
  • timeline-forensics: 集成注册表时间线
  • malware-forensics: 分析恶意软件样本
  • log-forensics: 与事件日志关联分析

References

参考资料

  • Registry Forensics Reference
  • Windows Registry Keys Guide
  • Persistence Locations
  • Registry Forensics Reference
  • Windows Registry Keys Guide
  • Persistence Locations