User Agreement
TZWorks LLC software and related documentation ("Software")
is governed by separate licenses issued from TZWorks LLC.
The User Agreement, Disclaimer, and/or Software may change from time to time.
By continuing to use the Software after those changes become
effective, you agree to be bound by all such changes. Permission to use the Software is granted
provided that (1) use of such Software is in accordance with the license issued to you and
(2) the Software is not resold, transferred or distributed to any other person or entity.
Refer to your specific EULA issued to for your specific the terms and conditions.
There are 3 types of licenses available:
(i) for educational purposes,
(ii) for demonstration and testing purposes and
(iii) business and/or commercial purposes.
Contact TZWorks LLC
(info@tzworks.com) for more information regarding
licensing and/or to obtain a license. To redistribute the Software, prior approval in writing
is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual
property or technology, but only a limited right to use the Software in accordance with the
license issued to you. TZWorks LLC retains all rights to ownership of this Software.
Export Regulation
The Software is subject to U.S. export control laws, including the U.S. Export Administration
Act and its associated regulations. The Export Control Classification Number (ECCN) for the
Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export,
re-export or release the Software to, or make the Software accessible from, any jurisdiction
or country to which export, re-export or release is prohibited by law, rule or regulation. The
user shall comply with all applicable U.S. federal laws, regulations and rules, and complete
all required undertakings (including obtaining any necessary export license or other governmental
approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available
outside the U.S.
Disclaimer
The user agrees that this Software made available by TZWorks LLC is experimental in nature
and use of the Software is at user's sole risk. The Software could include technical inaccuracies
or errors. Changes are periodically added to the information herein, and TZWorks LLC may make
improvements and/or changes to Software and related documentation at any time. TZWorks LLC
makes no representations about the accuracy or usability of the Software for any purpose.
ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY
OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS
FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC
BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT
IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE,
INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM
OR DURING THE USE OF THE SOFTWARE.
Removal
The Software are the original works of TZWorks LLC. However, to be in compliance with
the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any
material for infringement of copyright. Contact TZWorks LLC at email address:
info@tzworks.com, regarding any DMCA concerns.
yaru is a minimal version of a registry viewer compared to the many others
that are freely available on the Internet. yaru was designed to try
to parse (on a best effort basis) the Windows registry hives and display
the results in a tree view GUI. Inspired by the desire to look into the
Windows registry metadata so as to better forensically analyze the registry
hives, yaru was designed with a portable and extensible architecture in
mind so that it could be compiled to run on various operating systems.
The registry parsing engine is written in standard C/C++ and has no
dependencies on the Windows registry API functions. This means that the
parsing may have trouble on certain untested boundary conditions.
The GUI portion of yaru leverages off the FOX (Free Objects for X) library,
which was designed to be cross platform. The FOX library is freely available
and is distributed in source form under Library GNU Public License (LGPL).
Currently, there are compiled versions of yaru that will run on Windows,
Linux and MAC OS X.
The windows version of yaru has the ability to take a snapshot of the currently
running hive(s) and examine them. Since the Windows OS locks down the active
hives from other processes reading them, yaru can resort to raw ntfs disk
reads to read any of the desired hives. Consequently, this requires the user
to run this tool with Administrative privileges. While this approach adds
complexity to yaru, it ensures that there is no corruption or changes to the
active hive during analysis.
Some other rudimentary functionality includes:
-
Show allocated (but unused) key value data space [referred to here
as cell slack space].
- Show unallocated hive space [referred to here as hive slack space].
-
Able to traverse the hive slack space and enumerate deleted keys
[experimental]. Also available is the ability to enumerate all
allocated chunks that are unlinked to the registry structures
(eg. this would result in hidden chunks of memory).
-
Report generation capability. For common registry forensics
artifacts, a number of options are available to generate reports
from the live hives, copies of hives or hives from unmounted
partition files. The latter requires a bit-for-bit (uncompressed)
copy of the partition image.
-
Optional logging capability that records the user selections
along with data values into a separate XML file for later review. A
separate XML file is created for each session.
-
Ability to export any key in the hive under evaluation to a
registration (.reg) file to be used for analysis. The format tries
to mimic the version 5.00 of the Windows registry editor, with some
additional metadata in commented form.
-
Ability to process any hive using user defined templates. These
templates allow one to customize what data is to be extracted.
While these templates have a very primitive set of commands, they
can be useful for repetitive tasks.
-
Simple search capability: (a) key names, (b) value names, (c) date ranges
and (e) strings (that greater than 4 chars)
-
Version 1.06 and above has the ability to verify all allocated chunks
have valid links to the registry. This was discussed in Timothy Morgan's
paper [ref 8] as an anti-forensics technique.
Experimental option
For VMWare Virtual hard drives, there is an option to parse 'KDMV'
signatured drives. This is limited and assumes one has selected the
monolithic type drive (eg. the drive is not broken into separate files).
One can, however, include snapshots when selecting virtual hard
drives. To do this, the dialog box will allow one to select
multiple (monolithic type) VMDK files and internally reconstruct them.
The restriction when selecting multiple VMDK files is that one of them
needs to be the root VMDK file, while the others can be delta versions.
Functionality not included in this version
- write capability
To use this tool, an authentication file is required to be in the same
directory as the binary in order for the tool to run.
The User Hives are located here:
- %userprofile%\ntuser.dat
- (xp) %userprofile%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- (vista/win7) %userprofile%\AppData\Local\Microsoft\Windows\UsrClass.dat
The other hives (system, software, sam, security, components) are located here:
- %systemroot%\system32\config\<system, software, sam, security, etc>
On XP, hives that are part of the restore points at located at:
- System Volume Information\_restore{<GUID>}\RPx\snapshot\<various hives>
On Vista and later operating systems, the BCD - Boot Configuration Data hive is at:
Under certain conditions, yaru should be able to read the registry hives
directly from a logical image that was saved as a file (without mounting
the image as a file system). I hesitated to make this option available,
since there are a number of boundary conditions that need to be considered.
These include:
-
yaru assumes the NTFS unmounted partition is a single file and is a
binary match of the original logical partition. Given these assumptions
yaru has a chance of reading directly from the unmounted partition and pull
out the desired registry.
-
From the cmdline, one can invoke this via the following switch:
-ntfsimage <unmounted partition> <path\file of the hive>
-
From the cmd template file, using !cmd, the following options are used:
-image <unmounted ntfs partition as a single file>
-hive <path/file of the hive to be analyzed>
Since, in this case, the registry path of the hive is not mounted, it
doesn't have a drive letter when specifying where the hive file is.
Below is an example of the expected syntax when specifying the system
hive in its native location:
-hive \Windows\system32\config\system
! NOTE ! when running in windows, yaru can't output to the console, but
one can redirect the standard output (stdout) to a file. Use this
approach when using cmds that don't invoke the GUI.
Commands to use with GUI [opens the GUI with the hive specified]
-hivefile <filename>
-ntfsimage <unmounted partition> <path\file of the hive>
Cmds that do not invoke the GUI
-cmdfile <filename> = run yaru from a cmdfile with a list of !cmds
-cmd <options> = run a command using the yaru registry engine.
Registry exported files from windows are formatted as unicode format.
Consequently when trying to view them in Linux, one needs to select a
character encoding that is Unicode (eg. UTF-16).
XML output is formatted as UTF-8 encoding. Currently a default XML style
sheet is provided so the results can be viewed with a browser, but can any
text editor can view the results.
These are text files that allow one to automate key/value extraction. The
parsing rules for these templates are as follows:
General Rules.
1. each line is parsed separately
2. a line that starts w/ a double forward slash (eg //) is ignored
and used for comments
3. a blank line is ignored
4. any line not satisfying Rule 2 & 3 above is assumed to be a command.
5. all command lines are in CSV (comma separated value) format
Commands lines
1. must start with the sequence: !cmd
2. and contain the following options, CSV delimited (in any order):
-enumreg
-key, <key path> [use ?* for a wildcard key/subkey, '?*' is used
for a wildcard since '*' is a valid subkey name]
-hive, <registry hive path>
-level, <num of levels to recurse>, where 0 equates to the current level
[-enumvalues | -enumkeys]
3. other options are available but are not required. They depend on
the key/value that is extracted. For example:
[-sort_by_name | -sort_by_date]
either one can be used, but not both. [-sort_by_date] is only
applicable to key/subkey names and not value names, whereas
[-sort_by_name] is applicable to either key or value names.
-stream_mru
for binary StreamMRU data.
(The following key uses binary link data:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU)
-userassist
parses the userassist data into readable strings
(eg. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count)
-recentdocs
parses the recentdocs data into readable strings
(eg. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs)
reading a hive from an unmounted partition
-image <unmounted ntfs partition as a single file> -hive <path/file of the hive to be analyzed>
Running a user defined template
To run a template, in file menu, select 'Run CmdFile', whereupon an open
file dialog box will allow you to navigate to the template file you wish
to run.
Below is an example of extracting USB thumb drive forensics artifacts for an XP
box. Note that some of the commands extract data from the system hive while
others extract data from the the user hives. For the user hives, a wildcard is
used to traverse all user hives on a particular box. Note: for a Vista or
Windows 7 box, some of the registry values are different.
// 1. Record the (a) Vendor (b) Product (c) Version and (d) serial numbers for
// all child keys
//
!cmd, -enumreg, -key, HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\?*\, -hive, c:\windows\system32\config\system, -level, 0, -sort_by_date, -enumkeys
// 2. Record the Parent Prefix ID
// Note: the use of wildcards for subkeys prior to the ParentIdPrefix.
// In this case we are only want the subkeys that have the
// ParentIdPrefix.
//
!cmd, -enumreg, -key, HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\?*\?*\ParentIdPrefix, -hive, c:\windows\system32\config\system, -level, 0, -sort_by_date, -enumvalues
// 3. Determine the Vendor ID (VID) and Product ID (PID) based on the S/N
//
!cmd, -enumreg, -key, HKLM\SYSTEM\CurrentControlSet\Enum\USB\?*, -hive, c:\windows\system32\config\system, -level, 0, -sort_by_date, -enumkeys
// 4. Determine the driver letter the device is mapped to
//
!cmd, -enumreg, -key, HKLM\SYSTEM\MountedDevices\, -hive, c:\windows\system32\config\system, -level, 0, -mounted_devices, -enumvalues
// 5. Find the user that used the specific USD device
//
!cmd, -enumreg, -key, NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2, -hive, C:\Documents and Settings\?*\ntuser.dat, -level, 0, -sort_by_date, -enumkeys
// 6. Determine the first time the device was connected after the last reboot
//
!cmd, -enumreg, -key, HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}, -hive, c:\windows\system32\config\system, -level, 0, -sort_by_date, -enumkeys
-
Access to active hives. One is required to run yaru under administrative
privileges to get read access to the raw NTFS clusters storing the live hives.
When running under Vista or Windows 7, any network shares established prior
as a regular (non-admin) user, will be isolated from other accounts
(including the admin account). This problem occurs because User Account
Control (UAC) treats members of the Administrators group as standard users.
Therefore, network shares that are mapped by logon scripts are shared with
the standard user access token instead of with the full administrator access
token.
-
yaru may run out of memory processing some very large registry hives with
many deleted files. To address this issue, a 64 bit version of yaru was created.
-
When using yaru to compare .reg files from two different snapshots in time
where the snapshots are generated from tools other than yaru (eg. from
regedit.exe) one needs to ensure the .reg file is saved in the old
NT4 format (which is text based) vice the default format (which is binary
based). yaru's comparison option only works with text based .reg files.
- Tool has not been compiled for Apple Silicon (ARM64) yet, just Intel based MacOS
For this tool to work, the X Window System libraries are required for both Linux and macOS (they
are not required for Windows). These libraries use the X11 protocol
and graphics primitives to render the graphical user interface components.
These libraries are common on Unix-like OS's.
If one is unfamiliar with X Windows or the libraries associated with it, one can download
an installer package from XQuartz.org, which is an open-source effort to develop
a version of the X Windows System that runs on Linux and macOS.
After the X11 libraries are installed, one needs to ensure they are running prior to running
this tool.
This tool has authentication built into the binary. The primary authentication
mechanism is the digital X509 code signing certificate embedded into the binary
(Windows and macOS).
The other mechanism is the runtime authentication, which applies to all
the versions of the tools (Windows, Linux and macOS). The runtime authentication
validates that the tool has a valid license. The license needs to be in the same
directory of the tool for it to authenticate. Furthermore, any modification to
the license, either to its name or contents, will invalidate the license.
Limited versus Demo versus Full in the tool's output banner
The tools from TZWorks will output header information about the tool's version
and whether it is running in limited, demo or full mode. This is
directly related to what version of a license the tool authenticates with. The
limited and demo keywords indicates some functionality of the tool is not
available, and the full keyword indicates all the functionality is available.
The lacking functionality in the limited or demo versions may mean one or
all of the following: (a) certain options may not be available,
(b) certain data may not be outputted in the parsed results, and (c) the license has a
finite lifetime before expiring.
- 04/17/2024 - v1.90 - core c/c++ lib changes
- 05/09/2023 - v1.89 - updated vmdk disk load for disk with multiple volumes
- 04/03/2023 - v1.88 - updated code-base to natively run Windows ARM64 processor in addition to Intel 32 or 64 bit
- 10/18/2022 - v1.87 - c-runtime library updates affecting Windows legacy builds
- 010/1/2022 - v1.86 - added password hint in report data from SAM hive
- 08/26/2022 - v1.85 - updated core libs during various bug fixes
- 05/16/2022 - v1.84 - updated build for new compiler. various changes to core libs; updated the timezone computation
- 12/07/2021 - v1.83 - updated core libs during various bug fixes
- 08/05/2021 - v1.82 - updated core libs for Linux and OSX updates
-
03/01/2021 - v1.81 - updated build for MacOS, fixed bugs in shared libraries. This tool has not
been not been compiled for Apple Silicon (ARM64), just Intel64 based MacOS.
- 11/09/2020 - v1.80 - updated core libs
- 09/09/2020 - v1.79 - updated the binary self check algorithm
-
05/01/2020 - v1.78 - boundary condition bug fixes and updated reg lib. comparison of hives option now outputs results in CSV format.
added artifact ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
-
01/15/2020 - v1.77 - improved the comparison of 2 registry's option. now can compare two hives as well
as compare multiple .reg files.
- 01/01/2020 - v1.76 - improved detection of deleted keys (embedded in the slack of existing large allocated keys). Fixed various other minor bugs
- 11/09/2019 - v1.75 - added values from [HKLM\System\CurrentControlSet\Control\NetworkSetup2\Interfaces\{373CA98A-0E76-4A8D-97CD-9AD7DCB8C8D8}\Kernel] in system hive report.
- 08/01/2019 - v1.74 - added extraction of other office keys for File/Place MRU data and "Word/Reading Locations" into user.dat report.
- 07/03/2019 - v1.73 - library updates
- 05/09/2019 - v1.72 - added the System\Setup\Source OS installation times to the system hive report.
- 04/19/2019 - v1.71 - updated the BAM (Background Activity Moderator) artifact for Win10 ver1903.
- 01/08/2019 - v1.70 - updated carving to handle registry transactional logs
- 11/29/2018 - v1.69 - updated routines in ntfs library that affect this tool
- 10/15/2018 - v1.68 - fixed bug in reading unicode path
- 08/28/2018 - v1.67 - fixed bug for very large and fragmented MFTs (ntfs lib that this tool uses)
-
07/11/2018 - v1.66 - selection of volume on VMWare disk with multiple partitions. updated the task schedule artifact parsing to include
additional timestamps embedded into the data. added value timestamp search option.
fixed bug in parsing out times for [HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles].
added translation for [HKLM\Software\Microsoft\Windows NT\CurrentVersion\DigitalProductId] to retrieve
activation key used for OS.
- 04/11/2018 - v1.65 - added Background Activity Moderator to system hive report. bug fixes rolled into ntfs lib
- 02/11/2018 - v1.64 - bug fixes in shared libraries that affects this tool
-
10/20/2017 - v1.63 - formatting of amcache output and update the parsing for Win10 Falls creator update.
added HKCU\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps to
the reports.
- 08/22/2017 - v1.62 - expanded TypedURLs output to include TypedURLsTimes, if available. bugfix to VMWare VMDK for loading snapshots
-
08/01/2017 - v1.61 - added option to scan for large values in registry and an option
to find entries with high entropy (or randomness). Both of the
options are geared toward assisting the analyst to find possible malware.
- 04/29/2017 - v1.60 - additional boundary checking for corrupted hives
- 04/12/2017 - v1.59 - handle case for Win10 Creators shimcache with extended header
- 03/22/2017 - v1.58 - updated the AppCache algorithm as it affects Win10
- 02/20/2017 - v1.57 - updated various common libraries with bug fixes
- 01/30/2017 - v1.56 - fixed bug in SAM report with regards to last failed time and last logon time
- 11/14/2016 - v1.55 - fixed context menu bug
-
05/21/2016 - v1.54 - For UserAssist reports, handles case where ROT13 conversion results in UTF-16.
In past versions, the UTF-16 format was rendered in the output.. current change converts
to UTF-8.
-
05/01/2016 - v1.53 - updated this version with new ItemID signatures as well as more GUID
translations.
- 03/12/2016 - v1.52 - updated the ntfs libs
- 02/08/2016 - v1.51 - for sam reports added Windows Live Account info to report
- 02/06/2016 - v1.50 - added other account detail metadata to sam report. fixed but in the password hash decryption
- 01/28/2016 - v1.49 - mods to allow for differences in VMWare 12
-
12/06/2015 - v1.48 - Added GUIDs used in Win10 and affects certain reports that are
generated that require parsing of ItemIDs.
fixed boundary condition bug for unlinked nodes
- 11/20/2015 - v1.47 - fixed boundary condition bug in NTFS engine
- 10/03/2015 - v1.46 - Added ShimCache parsing for Win10.
-
09/09/2015 - v1.45 - Added carve option to handle the case for wanting to parse
a registry transaction log.
-
08/07/2015 - v1.44 - added parsing for some of the new Win8 and Win10 value
types.
- 07/09/2015 - v1.43 - added artifact in report for inproc server for user hives.
-
06/04/2015 - v1.42 - included more extensive scanning of deleted entries
added new policies from Win8 and Win10. fixed bug in emdmgmt test time.
modified the SAM hive report to be more readable.
- 03/09/2015 - v1.41 - shared library updates
-
02/10/2015 - v1.40 - fixed right click context menu/export to file with non-ascii strings
added another case for the IDList parse.
-
01/09/2015 - v1.39 - added AmCache to the reports menu. fixed bugs in commandline option.
added allocated unlinked chunks to treeview. changed date find to
use UTC vice local
-
11/20/2014 - v1.38 - added parsing for REG_RESOURCE_LIST, REG_RESOURCE_REQUIREMENTS_LIST,
and REG_FULL_RESOURCE_DESCRIPTOR registry data types.
- 11/17/2014 - v1.37 - fix xp loading bug. (Windows version change only)
- 09/21/2014 - v1.36a -added more information to idlist context report
-
08/01/2014 - v1.36 - added AmCache menu and report. added Volume Shadow copy support.
added Persistance report. updated ntfs engine and registry lib.
-
04/17/2014 - v1.35 - modified extraction of GUIDs from mounted devices to recognize dmio volumes.
added 'date range' find options for both allocated chunk and unallocated
chunks (for allocated chunks, scans slack space as well). added warning
prior to processing a very large hive.
-
04/05/2014 - v1.34 - fixed boundard condition in analyzing NTFS VMWare disks.
updated registry library.
- 03/07/2014 - v1.33 - fixed header bug introduced w/ v1.32
- 02/24/2014 - v1.32 - custom build
-
01/21/2014 - v1.31 - updated the LNK parsing engine to handle additional shell ItemIDs. this
affects various reports generated that internally use ItemIds. fixed
usb reports to include more data. integrated readme into GUI help.
- 11/25/2013 - v1.30 - fixed boundardary condition for shimcache parsing on win8
-
11/18/2013 - v1.29 - updated option to export any of the values as a binary blob. included
app compatibility (shim cache) parsing in the system hive report. Fixed
bug in hex offsets for find option. Fixed bug in parsing certain
boundary conditions.
-
10/09/2013 - v1.28 - Added date format options and well as time resolution options.
Fixed boundary condition in older 32 bit Linux builds.
-
08/22/2013 - v1.27 - Added context parse for IDList/SHITEM type data structs to
help with reversing. (commercial version only). Removed
some previous functionality that was more useful to reversing
rather than for 'personal-use'. All functionality is
retained for commercial users.
-
07/05/2013 - v1.26 - Added drag-n-drop to the Windows version and
updated the authentication routine
-
04/20/2013 - v1.25 - Under report generaion, fixed some parsing boundary conditions on
certain artifacts.
- 03/15/2013 - v1.24 - updated fox library to latest stable version (1.6.47)
-
02/29/2013 - v1.23 - fixed bugs in GUI hotkeys for menu as well as other reported
bugs that caused yaru to crash
- 11/03/2012 - v1.22 - maintenance update of core libraries w/ bug fixes
- 10/30/2012 - v1.21 - fixed bug w/ NTFS inadvertently added in previous version
- 10/13/2012 - v1.20 - fixed boundary condition. added hash check to ensure binary integrity
- 07/17/2012 - v1.19 - fixed bug in vmware option for linux/mac
-
05/30/2012 - v1.18 - beefed up the reports, and other misc improvements
displayed output. fixed miscellaneous bugs.
- 04/05/2012 - v1.17 - added license authentication.
- 03/17/2012 - v1.16 - maintenance updates.
-
12/26/2011 - v1.15 - maintenance updates. also added data view right clk option
to extract data to a file.
- 06/10/2011 - v1.14 - added prompt for log file location
-
05/29/2011 - v1.13 - Updated to the Fox v1.6.43 library. Added 64 bit native build
to the mix. Fixed a couple of bugs (hives using ntfs compression and threading lockup
issues).
-
04/09/2011 - v1.12 - incorporated ability to extract registry hives from a VMWare
monolithic disk.
-
03/27/2011 - v1.11 - (a) fixed a number of bugs that were introduced with earlier
updates. (b) bcd hive is now accessible if located on the boot partition. (c) accessing
user hives access is more 'user' friendly
- 03/20/2011 - v1.10 - fixed bug in boundary condition
- 02/26/2011 - v1.09a - maintenance update
- 01/16/2011 - v1.09 - fixed bug in handling certain cluster boundary conditions.
-
01/07/2011 - v1.08 - modified the detection of deleted 'nk' records to be more robust
to invalid entries
-
08/10/2010 - v1.07 - fixed format problem w/ reg format to screen and ported this
version over to OS-X
- 07/25/2010 - v1.06a - fixed some thread synchronization issues
-
07/07/2010 - v1.06 - incorporated option to scan for allocated chunks that are hidden.
also put enumeration of all chunks on a separate thread, so one can analyze the
registry during enumeration.
-
06/26/2010 - v1.05a - misc fixes and additional shortcuts to live registry hives
for vista and win7.
-
06/14/2010 - v1.05 - additional error checking on input files fixed bug in log file
generation added pulling password hashes from unmounted image
-
05/23/2010 - v1.04c - check for admin privileges when running certain options in
win2k or xp.
-
05/06/2010 - v1.04b - added classname data as part of the output for those keys that
contain it
- 05/01/2010 - v1.04a - modified the report generated for usb artifacts
-
04/25/2010 - v1.04 - fixed many bugs - added some searching functionality - final
version submitted as part of CFRS 500 course project at GMU.
- 04/02/2010 - v1.03c - added option to generate a report on the currently loaded hive
- 04/01/2010 - v1.03b - fixed bug w/ logging of monitoring deleted keys
- 03/30/2010 - v1.03a - bug fixes related to displaying deleted registry keys
-
03/28/2010 - v1.03 - added a number of new options, including viewing hive slack
space, deleted registry keys, and some reporting options.
- xxxxxxxxx - v1.02 - intermediate test case for enumerating deleted registry keys
- 03/07/2010 - v1.01 - bug fixes
- 02/28/2010 - v1.00 - first release [uses FOX lib version 1.6.37]
- Document on various Internet sites titled "WinReg.txt" by B.D.
- Various articles in MSDN.
- Windows Forensic Analysis DVD Toolkit, Harlan Carvey
- Wikipedia, the free encyclopedia section on Windows Registry.
- Various forensic artifacts discussed in Computer Forensic Essentials from SANS Institute.
-
Forensic Analysis of Unallocated Space in Windows Registry Hive Files,
by Jolanta Thomassen, Dissertation for Master of Science submitted to
The University of Liverpool, dated 04 Nov 2008.
-
The Internal Structure of the Windows Registry, by Peter Norris,
MSc Thesis submitted Defence College of Management and Technology,
Dept of Informatics and Sensors, Cranfield University. Feb 2009.
-
Recovering Deleted Data from the Windows Registry, by Timothy D. Morgan,
Digital Investigation 5 (2008) S33-S41.
- FOX-toolkit version 1.6.47.
- X Window System Libraries by XQuartz.org.