All,
I've released a Perl script that performs parsing of
raw Registry
files. The script doesn't use any MS API calls...it
opens the file in
binary mode, and parses through the Registry a byte
(well, actually...two to
four bytes, depending on where you are in the code) at
a time.
The code has been updated since I first released it,
as I felt that I
needed to clean up the code, make it more modular,
document it a little
better, and add small tweaks like automagically
translating the
UserAssist key value names (ie, the ones that are
ROT-13 "encrypted").
The code is available here:
http://www.windows-ir.com/regparse.zip
The archive also contains a JPG image of a PPT slide
that I put
together. I felt that once I had the basic code
working, it would be easier
for me to understand what I'd learned about the
Registry structure if I
had a picture. There's no explanation associated with
the image, but I
can provide one if there's enough interest.
The code provides the basis for other scripts, one of
which I'm close
to completing. Rather than parsing completely through
the entire raw,
binary Registry file, the investigator may be
interested in only certain
values or keys...so I'm putting together a script that
will allow her
to do just that.
The script was written in Perl on Windows, and has had
admittedly
limited testing, though with great success. It does a
great job at parsing
the NTUSER.DAT, system32\config\SYSTEM, and
system32\config\SOFTWARE
files (though SOFTWARE will take a few minutes due to
the number of
CLASSES subkeys).
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
