Hello All,
I am writing to announce Registry Decoder, an open source forensics
tool that automates the acquisition, analysis, and reporting of
registry contents.
For complete information about the project please see the following post
http//
Please reply with any comments or questions, and I hope that you take
some time to try the tool out.
Thanks for this, looks interesting.
Can you sum up what this tool offers over Reg Ripper, Registry Viewer, MiTec Registry Recovery and FTK Imager ?
Hi - I've done some limited testing of RD on a W7 64-bit box and here are my initial thoughts
- case creation needs to offer to create the case directory if it exist
- get Visual C++ error R6034 error on start, then interface opens (no idea of effect of error, or what I'm missing, as docs don't mention dependancies)
- can't add hives to a case after initial processing, which limits its usability during analysis
- PDF report not useful as it creates portrait report but table contents run off the page to the right & cannot be viewed/printed
- would prefer text CSV option instead of legacy XLS; XLS layout not very useful.
- tab labels generated by running a plugin don't identify the source hive/path, so it's easy to get lost when hunting for tabs or comparing plugin results eg. for >2 system hives (given Diff only works on 2 hives at a time)
I understand the interface is probably just a rough vehicle to demonstrate the tool's mechanics, but if you can sort out the usability & reporting issues it has potential for being quite useful for rapid, targeted 'quicklooks'
Suggestions
- reporting cleanly to CSV or TSV files is the preferred option. I've yet to see a canned report layout in html (or PDF) that doesn't require clunky, painful workarounds to ingest the data into other formats/databases/reports. If you can do this, it would be a huge plus.
- As you mention on your blog, plugins are a work in progress. Will there be one to parse & report timezone offsets from the SYSTEM hive @ \CurrentControlSet00x\Control\TimeZoneInformation in the pipeline? This is one of the first things I do at the start of a case. If this was incorporated I would use RD just for that ) While AD Registry Viewer reports TZ offsets correctly, I don't have access to that software in my current role, and Regripper incorrectly treats the offsets as unsigned integers, giving meaningless results for eastern hemisphere TZs and DST biases, which are negative numbers.
For 96hz, the Diff option has potential to be quite good for quick and dirty, on-the-fly comparison between 2 hives.
Personally I think there is always room for more registry tools, and efforts to develop and publish them are welcome. If a new tool hit the holy grail of usability, availability/accuracy of data interpretation and flexibility in reporting, I would be ecstatic, but back in the real world there is no harm in expanding the toolkit.
Thanks for this, looks interesting.
Can you sum up what this tool offers over Reg Ripper, Registry Viewer, MiTec Registry Recovery and FTK Imager ?
Yes..
Our plugin system is very similar to RegRipper and currently duplicates much of the same gathering ability. The big difference is that ours is controllable through a gui that allows for quickly running any number of plugins against any number of files.. the tabs generated with plugin output can then be sorted by any column (including last write time of the key), and the generated tables can also be immediately exported to HTML/PDF/XLS.
Registry Viewer – we provide a hive viewer that is more flexible then Reg Viewer in that you can copy/paste anywhere from it and you can also provide a path within the tree and be brought directly to it.
MRR – we have a browser like they do and more plugins
We also have features these other tools dont
1) You can search across any number of files added to the case and filter by any of the following
- last write time of key
- key/name/data
- wildcard or not
you can also provide a file with keywords and the tool searches them all at once. All search results are put into generated tabs like plugins and can be quickly sorted/exported/etc.
2) We also have a differencing engine that allows you to compare data in multiple hives against each other. This very useful when comparing hives over time or from different machines.
—–
Also, the online acquisition component of the tool can safely acquire all hives from a running machine. It can also pull historical files from System Restore Points or the Volume Shadow Service assuming they are in use on the machine being acquired from.
Hopefully this gives a good overview, please reply with anymore questions.
@Sonj I will reply to your post tomorrow, exhausted now.. thanks for the testing! Will definitely be addressing some of your suggestions.
and the R6034 Error is a limitation of pyinstaller (the package we used to bundle all the python scripts and interpreter into a single EXE)