[reglookup] Hive analysis #bash #help #forensic #disk #hive

reglookup-install.md

ubuntu

sudo apt install reglookup

reglookup-recover.md

reglookup-recover [options] <REGISTRY_FILE>

Attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format

all

-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-l # enables leftover(raw) cell output.
-L # disables leftover(raw) cell output. (default)
-r # enables raw cell output for parsed cells.
-R # disables raw cell output for parsed cells. (default)

reglookup-timeline.md

reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]

Builds timelines for forensic investigations, a wrapper for reglookup

tips

cd /vol6/Windows/System32/config && hives="SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat)" && reglookup-timeline -v $hives > /share/examen/disk/hive/reglookup-tl # complete timeline
sed -n '/^2021-09-09 18:1/,$p' reglookup-tl > reglookup-tl-select # select part of timeline

all

-H # Omit header line
-V # Include values with parent timestamps

reglookup.md

reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>

Print windows registry elements to stdout in a CSV-like format

tips

for hive in SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat); do echo $hive; reglookup -i $hive > /share/examen/disk/hive/reglookup_${hive//\//_}; done

usefull

-p # restrict output to elements below this path.
-H # disables header row.
-s # enables security descriptor output.

all

-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-s # enables security descriptor output.
-S # disables security descriptor output. (default)
-p # restrict output to elements below this path.
-t # restrict results to this specific data type.
-i # includes parent key modification times with child values.