Actively maintained software
yarp: yet another registry parser
URL: https://github.com/msuhanov/yarp
A set of tools (and a Python library) to work with registry hives.
- yarp-print: print data from a registry file. The tool can also print deleted keys & values, apply (or skip) transaction log files, parse truncated (carved) registry files as well as standalone (carved) hive bins.
- yarp-timeline: print a timeline for keys found in a registry file (including deleted ones). The tool can extract timestamps from all hive states observed in transaction log files or use only the “before” (dirty) and “after” (recovered) states (thus, a single key can have more than one timestamp), include remnant data (data from previous states of a hive) extracted from slack space of transaction log files. The tool can also parse truncated (carved) registry files and standalone (carved) hive bins. JSON Lines and tab-separated text are available as output.
- yarp-mount: mount a registry file as a FUSE file system (Windows systems aren’t supported), only active (not deleted) data is exposed.
- yarp-carver: carve registry files and fragments (standalone hive bins) from disk images (or similar sources). The tool is capable of locating and rebuilding registry fragments (hive bins) which don’t start with an identifiable header. The tool can reconstruct fragmented registry files using the brute-force approach (used to match different registry fragments together) and/or using the NTFS-aware carver (which scans for mapping pairs (data runs) in a disk image). NTFS-compressed (LZNT1) registry files (usually found in Windows XP restore points) and standalone hive bins are supported too (but such registry files can’t be reconstructed if fragmented, this isn’t supported).
- yarp-memcarver: carve registry fragments (standalone hive bins or standalone keys & values, these are two different modes of operation) from memory images (or similar sources). Compressed (LZ77) standalone hive bins (usually found in compressed memory pages) are supported too.
dfir_ntfs: an NTFS parser for digital forensics & incident response
URL: https://github.com/msuhanov/dfir_ntfs
A set of tools (and a Python library) to work with NTFS file systems and their shadow copies. Now, the project also supports FAT file systems.
- ntfs_parser: parse an $MFT file (including resident $I30 records and remnant $I30 records found in slack space of file record segments), a $UsnJrnl:$J jounal (including version 4 records used to track modified data ranges), a $LogFile journal (versions 1.1 and 2.0), nonresident $I30 records from a disk (volume) image, file control blocks from a memory image (or a similar source). The tool can also parse all $MFT files from a disk (volume) image by including data from shadow copies.
- vsc_mount: mount a shadow copy as a FUSE file system (Windows systems aren’t supported by the tool), a “shadow” volume image (raw/dd) is exposed (it can be mounted using the ntfs-3g driver and/or examined using tools like The Sleuth Kit).
- fat_parser: parse a FAT volume.
winmem_decompress
URL: https://github.com/msuhanov/winmem_decompress
A tool to scan a memory image, or a page file, or a crash dump for compressed memory pages (including truncated ones) and extract these pages (in the decompressed form) to the standard output.
grub-raiddump
URL: https://github.com/msuhanov/grub-raiddump (and a paper)
A tool to copy a virtual drive exposed by a firmware interface of a “fake” RAID controller. It can be used as a last resort when assembling an encrypted array built using a “fake” RAID controller.
My DFIR Blog 