Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Windows Registry Parser for Forensic Analysis

Overview

The Windows Registry Parser extracts forensically significant artifacts from Windows Registry hive files. This feature provides comprehensive parsing of execution artifacts, user activity, system configuration, and network history that are essential for digital forensics and incident response.

Supported Artifacts

1. UserAssist (Program Execution Tracking)

Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Forensic Value:

  • Tracks program execution by users
  • Provides run counts and focus time
  • Shows last execution timestamps
  • Evidence of user application usage patterns

Extracted Data:

  • Program name (ROT13 decoded)
  • Run count
  • Focus count and focus time in milliseconds
  • Last execution timestamp
  • GUID (identifies the type of activity)

Example Entry:

{
  "program_name": "C:\\Program Files\\Application\\app.exe",
  "run_count": 15,
  "focus_count": 12,
  "focus_time_ms": 45230,
  "last_executed": "2024-01-15T14:30:22Z",
  "guid": "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}"
}

2. ShimCache/AppCompatCache (Application Compatibility)

Location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Forensic Value:

  • Records executed binaries (both local and network locations)
  • Provides file modification timestamps
  • Shows evidence of program execution even if program was deleted
  • Tracks execution from removable media

Extracted Data:

  • Program path (full path to executable)
  • Last modified timestamp
  • File size
  • Execution flag (indicates if program actually ran)

Example Entry:

{
  "program_path": "C:\\Users\\Admin\\Downloads\\malware.exe",
  "last_modified": "2024-01-14T10:22:15Z",
  "file_size": 2048576,
  "executed": true
}

3. Amcache (Application Inventory)

Location: C:\\Windows\\appcompat\\Programs\\Amcache.hve

Forensic Value:

  • Detailed application installation and execution history
  • File hashes (SHA1) for attribution
  • Publisher information
  • Installation dates
  • File metadata (version, size)

Extracted Data:

  • Program name and path
  • SHA1 hash
  • Publisher name
  • Installation date
  • File size and version

Example Entry:

{
  "program_name": "suspicious_tool.exe",
  "program_path": "C:\\Temp\\suspicious_tool.exe",
  "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
  "publisher": "Unknown Publisher",
  "install_date": "2024-01-10T08:15:00Z",
  "file_size": 1048576,
  "file_version": "1.0.0.0"
}

4. BAM/DAM (Background Activity Moderator)

Location:

  • BAM: SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
  • DAM: SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Forensic Value:

  • Windows 10/11 execution tracking
  • Provides precise execution timestamps
  • Per-user execution tracking via SIDs
  • Background application activity monitoring

Extracted Data:

  • Program path
  • Execution timestamp
  • User SID (Security Identifier)
  • Entry type (BAM or DAM)

5. RecentDocs/OpenSaveMRU (Document Access History)

Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Forensic Value:

  • Recently opened documents
  • File access patterns
  • Evidence of specific file interactions
  • MRU (Most Recently Used) tracking

Extracted Data:

  • Document name
  • File extension
  • MRU position (access order)
  • Last accessed timestamp

Example Entry:

{
  "document_name": "confidential_data.xlsx",
  "file_extension": ".xlsx",
  "mru_position": 1,
  "last_accessed": "2024-01-15T16:20:10Z"
}

Usage

Basic Usage

# Parse all registry files with all artifact types
sus /evidence --parse-registry

# Parse with custom output location
sus /evidence --parse-registry --registry-output investigation/registry_data.csv

Selective Artifact Parsing

# Parse only specific artifacts
sus /evidence --parse-registry --registry-artifacts userassist,shimcache,bam

# Parse execution-related artifacts
sus /evidence --parse-registry --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-output execution_artifacts.csv

# Parse user activity artifacts
sus /evidence --parse-registry --parse-registry --registry-artifacts userassist,recentdocs,network,usb

Output Formats

CSV Format

Timeline-friendly format with one row per artifact entry:

artifact_type,timestamp,program_path,program_name,user_sid,details,key_path
UserAssist,2024-01-15T14:30:22Z,,notepad.exe,,"run_count=5 focus_count=3 focus_time_ms=12000",NTUSER.DAT\\...\\UserAssist\\{GUID}\\Count
ShimCache,2024-01-14T10:22:15Z,C:\\Tools\\tool.exe,,,"executed=true size=2048576",SYSTEM\\...\\AppCompatCache
BAM,2024-01-15T12:45:33Z,C:\\Windows\\System32\\cmd.exe,,S-1-5-21-...-1001,,SYSTEM\\...\\bam\\State\\UserSettings

JSON Format

Structured format with complete metadata:

{
  "userassist": [
    {
      "key_path": "...",
      "program_name": "...",
      "run_count": 15,
      "focus_count": 12,
      "focus_time_ms": 45230,
      "last_executed": "2024-01-15T14:30:22Z",
      "guid": "{...}",
      "raw_value_name": "..."
    }
  ],
  "shimcache": [...],
  "amcache": [...],
  "bam_dam": [...],
  "recentdocs": [...],
  "network_history": [...],
  "usb_devices": [...]
}

Registry Hive Files

Common Windows Registry Hive Locations

System-wide hives:

  • C:\\Windows\\System32\\config\\SYSTEM - System configuration, drivers, services
  • C:\\Windows\\System32\\config\\SOFTWARE - Installed applications, system-wide settings
  • C:\\Windows\\System32\\config\\SAM - User accounts and passwords (hashed)
  • C:\\Windows\\System32\\config\\SECURITY - Security policies
  • C:\\Windows\\appcompat\\Programs\\Amcache.hve - Application compatibility cache

Per-user hives:

  • C:\\Users\\{username}\\NTUSER.DAT - User-specific settings, UserAssist, RecentDocs
  • C:\\Users\\{username}\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat - User file associations

Transaction logs:

  • .LOG, .LOG1, .LOG2 files alongside hives contain uncommitted changes

Forensic Analysis Techniques

Timeline Analysis

# Generate comprehensive timeline with registry artifacts
sus /evidence --parse-registry --generate-timeline csv

# Then use timeline tools to correlate events
# Timeline will include registry timestamps alongside file system events

Execution Artifact Correlation

Look for the same executable across multiple sources:

  1. UserAssist - User executed the program via Explorer
  2. ShimCache - Windows compatibility check ran
  3. Amcache - Installation or first execution metadata
  4. BAM/DAM - Recent execution timestamp
  5. Prefetch - Program execution optimization data

If a program appears in multiple sources, it provides strong evidence of execution.

User Activity Profiling

Combine artifacts to build user behavior profiles:

  • UserAssist - What programs they use most
  • RecentDocs - What documents they access
  • Network History - Where they connect from
  • USB Devices - What removable media they use

Malware Detection

Indicators of malicious activity:

  1. Suspicious Execution Paths:

    • Temp directories (C:\\Users\\{user}\\AppData\\Local\\Temp)
    • Downloads folder
    • Recycle Bin
    • Non-standard system32 locations

  2. Unusual Timestamps:

    • Execution at odd hours
    • Short execution times for complex programs
    • Execution immediately after download

  3. Missing Publisher Information:

    • Unsigned executables in Amcache
    • "Unknown Publisher" for system tools

Usage

Basic Usage

# Parse all registry files with all artifact types
sus /evidence --parse-registry

# Parse with custom output location
sus /evidence --parse-registry --registry-output investigation/registry_data.csv

Output Formats

# CSV format (default, timeline-friendly)
sus /evidence --parse-registry --registry-format csv

# JSON format (structured, all metadata)
sus /evidence --parse-registry --registry-format json --registry-output results.json

Combined with Other Features

# Full forensic workflow
sus /evidence --target KAPE_Triage \
    --system-snapshot \
    --collect \
    --parse-registry \
    --generate-timeline json

# Focused execution analysis
sus /evidence --target KAPE_EvidenceOfExecution \
    --parse-registry --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-output execution_artifacts.csv

# Multi-system investigation
sus /servers --tag-dir '/web01:web01' --tag-dir '/db01:db01' \
    --parse-registry \
    --collect \
    --generate-timeline csv

artifact_type,timestamp,program_path,program_name,user_sid,details,key_path
UserAssist,2024-01-15T14:30:22Z,,notepad.exe,,"run_count=5 focus_count=3 focus_time_ms=12000",NTUSER.DAT\...\UserAssist\{GUID}\Count
ShimCache,2024-01-14T10:22:15Z,C:\Tools\tool.exe,,,,"executed=true size=2048576",SYSTEM\...\AppCompatCache
BAM,2024-01-15T12:45:33Z,C:\Windows\System32\cmd.exe,,S-1-5-21-...-1001,,SYSTEM\...\bam\State\UserSettings

  • C:\Windows\System32\config\SYSTEM - System configuration, drivers, services

  • C:\Windows\System32\config\SOFTWARE - Installed applications, system-wide settings

  • C:\Windows\System32\config\SAM - User accounts and passwords (hashed)

  • C:\Windows\System32\config\SECURITY - Security policies

  • C:\Windows\System32\config\DEFAULT - Default user profile

  • C:\Windows\appcompat\Programs\Amcache.hve - Application compatibility cache

  • C:\Users\{username}\NTUSER.DAT - User-specific settings, UserAssist, RecentDocs

  • C:\Users\{username}\AppData\Local\Microsoft\Windows\UsrClass.dat - User file associations

  • Temp directories (C:\Users\{user}\AppData\Local\Temp)

    • Downloads folder
    • Recycle Bin
    • Non-standard system32 locations
  1. Persistence Mechanisms:
  • Entries in startup locations
    • Services registration
    • Scheduled tasks

Data Exfiltration Detection

USB device analysis for potential data theft:

# Parse USB artifacts and correlate with file access times
sus /evidence --parse-registry --registry-artifacts usb,recentdocs \
    --registry-format csv

# Look for:
# 1. USB device connections
# 2. Document access around same time
# 3. Large file operations in timeline

Platform Support

Supported Platforms for Parsing

  • Linux - Full support (can parse Windows registry hives)
  • macOS - Full support (can parse Windows registry hives)
  • Windows - Full support (native and offline parsing)

Parsing Capabilities

  • Offline Parsing: No Windows API required, works on any platform
  • Cross-platform: Parse Windows registry hives on Linux/macOS for forensics
  • No Admin Required: Read-only access to hive files
  • Transaction Log Support: Future enhancement to parse .LOG files

Limitations and Known Issues

Current Limitations

  1. Binary Parsing:
  • Some timestamps require binary structure parsing (partially implemented)
    • Focus time and run count parsing is basic
    • Complex binary values may not be fully decoded
  1. Transaction Logs:
  • .LOG files are not currently merged with hive data
    • May miss uncommitted recent changes
  1. Deleted Entries:
  • Does not recover deleted registry keys
    • Registry slack space not analyzed
  1. Windows Versions:
  • Parsing logic optimized for Windows 10/11
    • Earlier versions (XP, Vista, 7, 8) mostly supported but may have differences

Future Enhancements

  • Enhanced Binary Parsing: Complete timestamp and counter extraction
  • Transaction Log Merging: Parse and merge .LOG files
  • Deleted Key Recovery: Carve deleted entries from slack space
  • Advanced Amcache Parsing: Parse additional Amcache structures
  • Registry Diff: Compare registry states over time
  • Automated Indicators: Flag suspicious patterns automatically

Security Considerations

Privacy

Registry hives contain sensitive information:

  • User passwords (hashed in SAM)
  • Recently accessed documents
  • Network locations
  • Personal identifying information

Recommendation: Treat registry artifacts as sensitive data. Secure storage and proper data handling are essential.

Evidence Integrity

For forensic investigations:

  1. Hash Verification: Verify SHA256 of registry hives before and after parsing
  2. Write Protection: Use write-blocked devices or read-only mounts
  3. Chain of Custody: Document all access to registry files
  4. Original Preservation: Work on copies, never original evidence

Registry parsing may be subject to:

  • Computer Fraud and Abuse Act (CFAA)
  • General Data Protection Regulation (GDPR)
  • Electronic Communications Privacy Act (ECPA)
  • Corporate data retention policies

Recommendation: Ensure proper authorization before parsing registry hives.

Integration with Other Tools

Timeline Tools

Export CSV format for use with:

  • Plaso/log2timeline - Combine with other timeline sources
  • Timesketch - Collaborative timeline analysis
  • Excel/LibreOffice - Manual review and pivot tables

SIEM Integration

Export JSON for ingestion into:

  • Splunk - Index and search artifacts
  • Elastic Stack - Visualize execution patterns
  • QRadar - Correlate with other security events

Forensic Suites

Combine with:

  • Autopsy - Comprehensive forensic analysis
  • AXIOM - Mobile and computer forensics
  • X-Ways Forensics - Disk analysis and carving

Examples

Basic Forensic Investigation

# Step 1: Acquire evidence
mount -o ro /dev/sdb1 /mnt/evidence

# Step 2: Run comprehensive analysis
sus /mnt/evidence/Windows \
    --target KAPE_Triage \
    --system-snapshot \
    --parse-registry \
    --collect \
    --generate-timeline json \
    --output-dir /cases/case-2024-001

# Output:
# - /cases/case-2024-001/analysis.db
# - /cases/case-2024-001/registry_artifacts.csv
# - /cases/case-2024-001/timeline.json
# - /cases/case-2024-001/system_snapshot.json
# - /cases/case-2024-001/collected/...

Malware Analysis

# Focus on execution artifacts
sus /suspect/system \
    --parse-registry \
    --registry-artifacts userassist,shimcache,amcache,bam \
    --registry-format json \
    --registry-output malware_execution.json

# Review execution_artifacts.json for:
# - Unusual program locations
# - Suspicious timestamps
# - Missing publisher info
# - Encoded/obfuscated names

User Activity Investigation

# Profile user behavior
sus /user/profile \
    --parse-registry \
    --registry-artifacts userassist,recentdocs,network,usb \
    --registry-format csv \
    --registry-output user_activity.csv

# Analyze user_activity.csv for:
# - Document access patterns
# - Program usage frequency
# - Network connections
# - USB device usage

Batch Processing

# Process multiple systems
for system in web01 web02 web03; do
    sus /evidence/${system}/Windows \
        --parse-registry \
        --registry-format json \
        --registry-output /results/${system}_registry.json \
        --tag-dir "/evidence/${system}:${system}"
done

# Combine results for correlation analysis

References

Windows Registry Forensics

  • SANS DFIR: Windows Registry Forensics
  • Harlan Carvey: "Windows Registry Forensics, 2nd Edition"
  • Microsoft Docs: Windows Registry reference
  • 13Cubed (YouTube): Registry forensics videos

Tools and Libraries

  • notatin: Rust library for offline registry parsing
  • RegRipper: Perl-based registry analysis
  • Registry Explorer: Eric Zimmerman's tools
  • yarp: Python library for registry parsing

Standards

  • NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
  • ISO/IEC 27037: Guidelines for identification, collection, acquisition, and preservation of digital evidence

For issues, questions, or feature requests related to registry parsing:

  • GitHub Issues: https://github.com/hisn-io/sus/issues
  • Documentation: https://docs.rs/sus
  • Registry Artifacts Reference: See profiles/modules/windows/registry.toml and execution.toml

Changelog

Version 0.1.0

  • Initial implementation of registry parser
  • Support for UserAssist, ShimCache, Amcache, BAM/DAM, RecentDocs, Network History, USB Devices
  • CSV and JSON export formats
  • Cross-platform offline parsing
  • Integration with artifact collection and timeline generation