#nt #forensics #hive #parser #windows #registry

bin+lib nt_hive2

forensic parser library for Windows registry hive files

10 stable releases (3 major)

3.0.1 Feb 2, 2023
2.3.3 Dec 9, 2022
2.3.1 Jul 2, 2022
2.2.1 Jun 7, 2022
0.1.1 Apr 20, 2022
Download history 81/week @ 2023-01-29 49/week @ 2023-02-05 58/week @ 2023-02-12 50/week @ 2023-02-19 17/week @ 2023-02-26 20/week @ 2023-03-05 8/week @ 2023-03-12 29/week @ 2023-03-19 9/week @ 2023-03-26 3/week @ 2023-04-02 24/week @ 2023-04-09 20/week @ 2023-04-16 4/week @ 2023-04-23 23/week @ 2023-04-30 29/week @ 2023-05-07 25/week @ 2023-05-14

81 downloads per month
Used in 2 crates

GPL-3.0 license

105KB
2K SLoC

nt_hive2

This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:

  • use of BinRead to parse hive files
  • support of displaying last written timestamps
  • recovery of deleted cells

regdump

forensic parser library for Windows registry hive files

Usage: regdump [OPTIONS] <HIVE_FILE>

Arguments:
  <HIVE_FILE>  name of the file to dump

Options:
  -L, --log <LOGFILES>     transaction LOG file(s). This argument can be specified one or two times
  -b, --bodyfile           print as bodyfile format
  -I, --ignore-base-block  ignore the base block (e.g. if it was encrypted by some ransomware)
  -v, --verbose...         More output per occurrence
  -q, --quiet...           Less output per occurrence
  -h, --help               Print help information
  -V, --version            Print version information

hivescan

scans a registry hive file for deleted entries

Usage: hivescan [OPTIONS] <HIVE_FILE>

Arguments:
  <HIVE_FILE>  name of the file to scan

Options:
  -L, --log <LOGFILES>  transaction LOG file(s). This argument can be specified one or two times
  -v, --verbose...      More output per occurrence
  -q, --quiet...        Less output per occurrence
  -b                    output as bodyfile format
  -h, --help            Print help information
  -V, --version         Print version information

cleanhive

merges logfiles into a hive file

Usage: cleanhive [OPTIONS] --output <DST_HIVE> <HIVE_FILE>

Arguments:
  <HIVE_FILE>  name of the file to dump

Options:
  -L, --log <LOGFILES>     transaction LOG file(s). This argument can be specified one or two times
  -v, --verbose...         More output per occurrence
  -q, --quiet...           Less output per occurrence
  -O, --output <DST_HIVE>  name of the file to which the cleaned hive will be written
  -h, --help               Print help information
  -V, --version            Print version information

Usage example for developers

use std::fs::File;
use nt_hive2::*;

#
let hive_file = File::open("tests/data/testhive")?;
let mut hive = Hive::new(hive_file)?;
let root_key = hive.root_key_node()?;

for sk in root_key.subkeys(&mut hive)?.iter() {
    println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp());
    for value in sk.borrow().values() {
        println!("\"{}\" = {}", value.name(), value.value());
    }
}

License: GPL-3.0

Dependencies

~7–14MB
~332K SLoC