Regipy - An Bone Independent Python Library For Parsing Offline Registry Hives
Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:
- Use equally a library:
- Recurse over the registry hive, from root or a given path too instruct all subkeys too values
- Read specific subkeys too values
- Apply transaction logs on a registry hive
- Command Line Tools
- Dump an entire registry hive to json
- Apply transaction logs on a registry hive
- Compare registry hives
- Execute plugins from a robust plugin organisation (i.e: amcache, shimcache, extract figurer name...)
Installation
Only python 3.7 is supported:
pip install regipypython setup.py installCLI
Parse the header:
registry-parse-header /Documents/TestEvidence/Registry/SYSTEM╒════════════════════════╤══════════╕ │ signature │ b'regf' │ ├────────────────────────┼──────────┤ │ primary_sequence_num │ 11639 │ ├────────────────────────┼──────────┤ │ secondary_sequence_num │ 11638 │ ├────────────────────────┼──────────┤ │ last_modification_time │ 0 │ ├────────────────────────┼──────────┤ │ major_version │ 1 │ ├────────────────────────┼──────────┤ │ minor_version │ five │ ├────────────────────────┼──────────┤│ file_type │ 0 │ ├────────────────────────┼──────────┤ │ file_format │ 1 │ ├────────────────────────┼──────────┤ │ root_key_offset │ 32 │ ├────────────────────────┼──────────┤ │ hive_bins_data_size │ 10534912 │ ├────────────────────────┼──────────┤ │ clustering_factor │ 1 │ ├────────────────────────┼──────────┤ │ file_name │ SYSTEM │ ├────────────────────────┼──────────┤ │ checksum │ 0 │ ╘════════════════════════╧══════════╛ [2019-02-09 13:46:12.111654] WARNING: regipy.cli: Hive is non clean! You should apply transaction logs- When parsing the header of a hive, likewise checksum validation too transaction validations are done
Dump entire hive to disk (this powerfulness accept approximately time)
registry-dump /Documents/TestEvidence/Registry/NTUSER-CCLEANER.DAT -o /tmp/output.json-t flagRun relevant plugins on Hive
registry-run-plugins /Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.jsonCompare registry hives
Compare registry hives of the same type too output to CSV (if
-o is non specified output volition live printed to screen)registry-diff NTUSER.dat NTUSER_modified.dat -o /tmp/diff.csv[2019-02-11 19:49:18.824245] INFO: regipy.cli: Comparing NTUSER.DAT vs NTUSER_modified.DAT ╒══════════════╤══════════════╤════════════════════════════════════════════════════════════════════════════════╤════════════════════════════════════════════════╕ │ departure │ first_hive │ second_hive │ description │ ╞══════════════╪══════════════╪════════════════════════════════════════════════════════════════════════════════╪════════════════════════════════════════════════╡ │ new_subkey │ │ 2019-02-11T19:46:31.832134+00:00 │ \Software\Microsoft\legitimate_subkey │ ├──────────────┼──────────────┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────┤ │ new_value │ │ not_a_malware: c:\temp\legitimate_binary.exe @ 2019-02-11 19:45:25.516346+0:00 │ \Software\Microsoft\Windows\CurrentVersion\Run │╘══════════════╧══════════════╧════════════════════════════════════════════════════════════════════════════════╧════════════════════════════════════════════════╛ [2019-02-11 19:49:18.825328] INFO: regipy.cli: Detected ii differencesRecover a registry hive, using transaction logs:
registry-transaction-logs NTUSER.DAT -p ntuser.dat.log1 -s ntuser.dat.log2 -o recovered_NTUSER.dat Using equally a library
Initiate the registry hive object
from regipy.registry import RegistryHive reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT')Iterate recursively over the entire hive, from root key
for entry inward reg.recurse_subkeys(as_json=True): print(entry)Iterate over a cardinal too instruct all subkeys too their modification time:
for sk inward reg.get_key('Software').iter_subkeys(): print(sk.name, convert_wintime(sk.header.last_modified).isoformat()) Adobe 2019-02-03T22:05:32.525965 AppDataLow 2019-02-03T22:05:32.526047 McAfee 2019-02-03T22:05:32.526140 Microsoft 2019-02-03T22:05:32.526282 Netscape 2019-02-03T22:05:32.526352 ODBC 2019-02-03T22:05:32.526521 Policies 2019-02-03T22:05:32.526592Get the values of a key:
reg.get_key('Software\Microsoft\Internet Explorer\BrowserEmulation').get_values(as_json=True) [{'name': 'CVListTTL', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'UnattendLoaded', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'TLDUpdates', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListXMLVersionLow', 'value': 2097211, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListXMLVersionHigh', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'CVListLastUpdateTime', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'IECompatVersionHigh', 'value': None, 'value_type': 'REG_DWORD', 'is_corrupted': False}, {'name': 'IECompatVersionLow', 'value': 2097211, 'value_t ype': 'REG_DWORD', 'is_corrupted': False}, {'name': 'StaleCompatCache', 'value': 0, 'value_type': 'REG_DWORD', 'is_corrupted': False}]Use equally a plugin:
from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin NTUserPersistencePlugin(reg, as_json=True).run() { 'Software\\Microsoft\\Windows\\CurrentVersion\\Run': { 'timestamp': '2019-02-03T22:10:52.655462', 'values': [{ 'name': 'Sidebar', 'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun', 'value_type': 'REG_EXPAND_SZ', 'is_corrupted': False }] } }Run all relevant plugins for a specific hive
from regipy.plugins.utils import run_relevant_plugins reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/SYSTEM') run_relevant_plugins(reg, as_json=True) { 'routes': {}, 'computer_name': [{ 'control_set': 'ControlSet001\\Control\\ComputerName\\ComputerName', 'computer_name': 'DESKTOP-5EG84UG', 'timestamp': '2019-02-03T22:19:28.853219' }] } 