Registry Analysis with Reglookup

Thursday, November 10, 2011

Andrew Case

Bdcd1324539ec513ff7c10014b9668b6

Now that Registry Decoder 1.1 is released, we wanted to highlight two libraries that are used during Registry Decoder's pre-processing phase.

The first of these is reglookup and will be the subject of this blog post. Our next post will cover pytsk.


Reglookup is developed by Timothy Morgan and is both a library as well as a set of tools. We will first discuss the tools.

Tools

reglookup [1]

The reglookup binary is used to list the contents of a registry into a comma separated format.  By default it will list all the paths, last write times, and name/value pairs contained within the registry. The –s option enables printing of security descriptor information as well.

The ­–p option is the one we use most as it allows for filtering output to only keys and name/value pairs under the given path. For example –p /AccessData/Products/ would list entries under the Products key and not the entire registry.

This can be very useful for limiting to certain sections of the registry such as USBSTOR, network shares, and more.

We have previously released a whitepaper detailing use of the reglookup tool to help with recovery and analysis of deleted registry hives here

reglookup-timeline

This tool is used to create a CSV timeline based on last write times within a hive.

reglookup-recover

This tool recovers deleted entries within registry hives, and then reports them in a CSV format similar to reglookup.  The theory used to recover deleted entries is covered in Tim’s paper that can be found here.

This capability has fairly obvious applications in forensics investigations, and investigators should consider adding reglookup-recover usage to their forensics process.

The Library

In Registry Decoder, we use the Python bindings for regfi (the C library) in order to enumerate every key, its last write time, and name/value pair in a particular hive.  You can see how this is accomplished here.

There is also documentation for the C library here and many example provided by the author for use with Python here.

In general, the library allows for completely programmatic exploration and analysis of registry hives using a very straightforward API. This includes querying keys, getting their name/value pairs, retrieving security attributes, recovering deleted records from within hives, and more.

When using the python bindings, very powerful analysis can be performed in only a few lines of code.

Obtaining Reglookup

Source code and Windows binaries for reglookup can be found on the project downloads page.  There are also packages for a number of Linux distributions, but they currently only have very old versions.

We would advise acquiring reglookup from the author's webpage until the Linux distributions catch up. 

References

[1] http://www.linuxcertif.com/man/1/reglookup/ 

Cross-posted from DFS Forensics

Possibly Related Articles:
20388
Network->General
Software
Forensics Tools Penetration Testing Network Security Registry Decoder Reglookup Registry Analysis
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.