The idea of this started out as one to duplicate Microsoft's autoruns tool to the extent possible with only offline registry hives. Then I started adding extra non-autorun(ish) registry keys and then it turned into more of a Windows Registry parser; hence the name change from autoreg-parse to python-regparse. I'm terrible at naming scripts/tools so this will have to suffice.
I wrote about it here on my blog: https://sysforensics.org/2015/03/python-registry-parser.html
- I didn't like the output of other tools.
- I wanted to learn to write better Python code.
This was a sticky point I had with alternative tools, and realizing this I thought hard and came to the conclusion if I want a tool that doesn't have messy output i'm going to have to make it custom user defined output, and then provide a fallback template file if a custom output isn't defined via the command line. This will likely turn some people off from using this tool, but I think it's the best way forward.
I suggest taking a look here for some output examples: http://sysforensics.org/2015/03/python-registry-parser.html as it's not as complex as it may sound. Even for non-coders it's easy.
The template file are prebuilt output templates. More of people that aren't going to be sed/awk/greping output (like me) or maybe you just wanted a standard HTML output that you can use for reporting purposes.
regparse.py --plugin typedurls --hives hives/ntuser.dat --format_file templates/typedurls.html
2014-06-04 13:09:14.749073|url1|http://google.com/
2014-06-04 13:09:14.749073|url3|chrome
2014-06-04 13:09:14.749073|url4|http://go.microsoft.com/fwlink/?LinkId=69157
python regparse.py --plugindetails
<snip>
TYPEDPATHS
Plugin: TYPEDPATHS
Author: Patrick Olsen
Version: 0.2
Reference: http://sysforensics.org
Print Fields: "{{ last_write }}|{{ key }}|{{ value }}|{{ data }}"
Description: Parses the NTUSER hive and returns Typed Paths entries.
TYPEDURLS
Plugin: TYPEDURLS
Author: Patrick Olsen
Version: 0.4
Reference: http://sysforensics.org
Print Fields: "{{ last_write }}|{{ url_name }}|{{ url }}"
Description: Parses the NTUSER hives and returns Typed URL entries.
<snip>
So you want to look at the typed urls. You will see from the plugindeails that you have a few printable fields to choose from (last_write, url_name, and url).
For demonstation purposes to show the flexability of the output let's say you just want the url.
python regparse.py --plugin typedurls --hives hives/ntuser.dat --format '{{url}}'
http://google.com/
chrome
http://go.microsoft.com/fwlink/?LinkId=69157
Let's say you have multiple NTUSER hives that you want to process. You can do that like this:
python regparse.py --plugin typedurls --hives hives/ntuser.dat hives/xphive/NTUSER.DAT --format '{{url}}'
http://google.com/
chrome
http://go.microsoft.com/fwlink/?LinkId=69157
http://google.com/
\\vmware-host\Shared Folders\MalwareLabTools
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Or let's say you wanted to put the word "hello_world:" in front of each url (for whatever reason).
python regparse.py --plugin typedurls --hives hives/ntuser.dat hives/xphive/NTUSER.DAT --format 'hello_world:{{url}}'
hello_world:http://google.com/
hello_world:chrome
hello_world:http://go.microsoft.com/fwlink/?LinkId=69157
hello_world:http://google.com/
hello_world:\\vmware-host\Shared Folders\MalwareLabTools
hello_world:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
This allows you to tag the output, which you can then simply filter away at a later time.
Now if you want all of it you just re-add those printable fields as such:
python regparse.py --plugin typedurls --hives hives/ntuser.dat hives/xphive/NTUSER.DAT --format "{{last_write}}|{{url_name}}|{{url}}"
2014-06-04 13:09:14.749073|url1|http://google.com/
2014-06-04 13:09:14.749073|url3|chrome
2014-06-04 13:09:14.749073|url4|http://go.microsoft.com/fwlink/?LinkId=69157
2014-09-05 05:21:12.234362|url1|http://google.com/
2014-09-05 05:21:12.234362|url2|\\vmware-host\Shared Folders\MalwareLabTools
2014-09-05 05:21:12.234362|url3|http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
- Install Python 2.79
- Install https://pypi.python.org/pypi/setuptools
- sudo pip install python-registry
- sudo pip install jinja2
- wget https://github.com/sysforensics/python-regparse/archive/master.zip
- Unzip
- Put it where you want, and then enjoy!
I've tested/used on OSX, Windows and SIFT 3.0. If pip doesn't work for you try easy_install.
- If something is broke let me know.
- If you want a plugin let me know.
- Share hives. I only have so many to test against.
- Feel free to write some plugins.
@williballenthin - http://www.williballenthin.com for writing python-registry, which is what I am using under the hood and for the idea of using user defined output.
@hiddenillusion - This example got me started on the idea. https://github.com/williballenthin/python-registry/blob/master/samples/forensicating.py