Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
Saturday, August 10, 2013
Edit
Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives - Hi friends mederc, In the article that you read this time with the title Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Linux,
Article Mac,
Article Modification,
Article Python,
Article Regipy,
Article Registry,
Article Windows, we write this you can understand. Alright, happy reading.
Title : Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
link : Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:
Installation
Only python 3.7 is supported:
also, it is possible to install from source yesteryear cloning the repository too executing:
CLI
Parse the header:
Example output:
Dump entire hive to disk (this powerfulness accept approximately time)
registry-dump util tin likewise output a timeline instead of a JSON, yesteryear adding the
Run relevant plugins on Hive
The hive type volition live detected automatically too the relevant plugins volition live executed. See the plugins department for to a greater extent than information
Compare registry hives
Compare registry hives of the same type too output to CSV (if
Example output:
Recover a registry hive, using transaction logs:
After recovering, compare the hives amongst registry-diff to encounter what changed
Using equally a library
Initiate the registry hive object
Iterate recursively over the entire hive, from root key
Iterate over a cardinal too instruct all subkeys too their modification time:
Get the values of a key:
Use equally a plugin:
Run all relevant plugins for a specific hive
You are now reading the article Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives with the link address https://mederc.blogspot.com/2013/08/regipy-bone-independent-python-library.html
Title : Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:
- Use equally a library:
- Recurse over the registry hive, from root or a given path too instruct all subkeys too values
- Read specific subkeys too values
- Apply transaction logs on a registry hive
- Command Line Tools
- Dump an entire registry hive to json
- Apply transaction logs on a registry hive
- Compare registry hives
- Execute plugins from a robust plugin organisation (i.e: amcache, shimcache, extract figurer name...)
Installation
Only python 3.7 is supported:
pip install regipypython setup.py installCLI
Parse the header:
registry-parse-header /Documents/TestEvidence/Registry/SYSTEM╒════════════════════════╤══════════╕ │ signature │ b'regf' │ ├────────────────────────┼──────────┤ │ primary_sequence_num │ 11639 │ ├────────────────────────┼──────────┤ │ secondary_sequence_num │ 11638 │ ├────────────────────────┼──────────┤ │ last_modification_time │ 0 │ ├────────────────────────┼──────────┤ │ major_version │ 1 │ ├────────────────────────┼──────────┤ │ minor_version │ five │ ├────────────────────────┼──────────┤│ file_type │ 0 │ ├────────────────────────┼──────────┤ │ file_format │ 1 │ ├────────────────────────┼──────────┤ │ root_key_offset │ 32 │ ├────────────────────────┼──────────┤ │ hive_bins_data_size │ 10534912 │ ├────────────────────────┼──────────┤ │ clustering_factor │ 1 │ ├────────────────────────┼──────────┤ │ file_name │ SYSTEM │ ├────────────────────────┼──────────┤ │ checksum │ 0 │ ╘════════════════════════╧══════════╛ [2019-02-09 13:46:12.111654] WARNING: regipy.cli: Hive is non clean! You should apply transaction logs- When parsing the header of a hive, likewise checksum validation too transaction validations are done
Dump entire hive to disk (this powerfulness accept approximately time)
registry-dump /Documents/TestEvidence/Registry/NTUSER-CCLEANER.DAT -o /tmp/output.json-t flagRun relevant plugins on Hive
registry-run-plugins /Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.jsonCompare registry hives
Compare registry hives of the same type too output to CSV (if
-o is non specified output volition live printed to screen)registry-diff NTUSER.dat NTUSER_modified.dat -o /tmp/diff.csv[2019-02-11 19:49:18.824245] INFO: regipy.cli: Comparing NTUSER.DAT vs NTUSER_modified.DAT ╒══════════════╤══════════════╤════════════════════════════════════════════════════════════════════════════════╤════════════════════════════════════════════════╕ │ departure │ first_hive │ second_hive │ description │ ╞══════════════╪══════════════╪════════════════════════════════════════════════════════════════════════════════╪════════════════════════════════════════════════╡ │ new_subkey │ │ 2019-02-11T19:46:31.832134+00:00 │ \Software\Microsoft\legitimate_subkey │ ├──────────────┼──────────────┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────┤ │ new_value │ │ not_a_malware: c:\temp\legitimate_binary.exe @ 2019-02-11 19:45:25.516346+0:00 │ \Software\Microsoft\Windows\CurrentVersion\Run │╘══════════════╧══════════════╧════════════════════════════════════════════════════════════════════════════════╧════════════════════════════════════════════════╛ [2019-02-11 19:49:18.825328] INFO: regipy.cli: Detected ii differencesRecover a registry hive, using transaction logs:
registry-transaction-logs NTUSER.DAT -p ntuser.dat.log1 -s ntuser.dat.log2 -o recovered_NTUSER.dat Using equally a library
Initiate the registry hive object
from regipy.registry import RegistryHive reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT')Iterate recursively over the entire hive, from root key
for entry inward reg.recurse_subkeys(as_json=True): print(entry)Iterate over a cardinal too instruct all subkeys too their modification time:
for sk inward reg.get_key('Software').iter_subkeys(): print(sk.name, convert_wintime(sk.header.last_modified).isoformat()) Adobe 2019-02-03T22:05:32.525965 AppDataLow 2019-02-03T22:05:32.526047 McAfee 2019-02-03T22:05:32.526140 Microsoft 2019-02-03T22:05:32.526282 Netscape 2019-02-03T22:05:32.526352 ODBC 2019-02-03T22:05:32.526521 Policies 2019-02-03T22:05:32.526592Get the values of a key:
reg.get_key('Software\Microsoft\Internet Explorer\BrowserEmulation').get_values(as_json=True) [{'name': 'CVListTTL', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'UnattendLoaded', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'TLDUpdates', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListXMLVersionLow', 'value': 2097211, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListXMLVersionHigh', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListLastUpdateTime', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'IECompatVersionHigh', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'IECompatVersionLow', 'value': 2097211, 'value_t ype': 'REG_DWORD', 'is_corrupted': False}, {'name': 'StaleCompatCache', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}]Use equally a plugin:
from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin NTUserPersistencePlugin(reg, as_json=True).run() { 'Software\\Microsoft\\Windows\\CurrentVersion\\Run': { 'timestamp': '2019-02-03T22:10:52.655462', 'values': [{ 'name': 'Sidebar', 'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun', 'value_type': 'REG_EXPAND_SZ', 'is_corrupted': False }] } }Run all relevant plugins for a specific hive
from regipy.plugins.utils import run_relevant_plugins reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/SYSTEM') run_relevant_plugins(reg, as_json=True) { 'routes': {}, 'computer_name': [{ 'control_set': 'ControlSet001\\Control\\ComputerName\\ComputerName', 'computer_name': 'DESKTOP-5EG84UG', 'timestamp': '2019-02-03T22:19:28.853219' }] } Thus the article Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
That's all the article Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives with the link address https://mederc.blogspot.com/2013/08/regipy-bone-independent-python-library.html
