I’m glad to announce the immediate availability of the registryfs branch of the Sleuthkit. This patch brings support to the top file system forensic toolkit for navigating, exploring, and extracting raw Windows Registry hives. There are striking similarities between the organization of a file system and the Registry. In particular, they are both persistent databases organized into tree structures that typically store binary values at the leaf nodes. If you’ve come to be familiar with TSK, you may find it natural to script Registry access using the registryfs branch.
The registryfs branch of TSK is hosted in a Github repository here. To quickly get up and running, you may execute the following instructions to build from source.
The registryfs patch adds an additional supported file system type: the Registry. Because the patch implements each of the required APIs of a file system module, all of the Sleuthkit tools should work as expected.
We can use the reg file system type when working with raw Registry hives acquired from Microsoft Windows operating systems. For instance, let’s look at two sample SECURITY and SYSTEM hives. First, we’ll review the basic metadata about the SECURITY hive using fsstat. This tool lists basic metadata about an image (or, in this case, the raw Registry hive).
The registryfs patch let’s you work with the Registry tree structure as if you were travsersing the tree structure of a file system. So fls runs as expected and lists the logical contents of a given inode. Because the Windows Registry allocates data in unaligned chunks rather than sectors, you must refer to structures by their offset in bytes. Here, we specify the root key offset. Note that recurisvely listing a key also works.
When you find an interesting key or value, istat provides metadata about the given inode. With registryfs, istatcan display information about both keys, values, and any other structure easily identifiable (such as value list structures). The example here shows the output of istat when run against both a both a key and a value.
And finally, you can use icat to acquire the binary contents of a Registry value, just as if you were to recover a file from a file system. Here, we access the contents of an “AppCompat” value (demonstrating support for “db” record types).
The registryfs patch to TSK brings support for an additional file system type that enables forensic investigators to review the contents of a Registry file using familiar tools. Consider how easy it is to use TSK in a Bash script to extract the INDX attributes in an image. Now, you can just as easily write quick-and-dirty scripts to manipulate the Registry.