If you did not see my prior post, I've renamed what I was calling "Registry Explorer" to be "Registry Reporter". It's been a long road to this point. Many distractions slowed down the beta release timeline, including the addition of new features and behaviors into the "Registry Reporter" application.
I've been suffering from the Engineer's Dilemma: of when to release, when is it ready? To avoid further slippage on the beta release, I've drawn a line in the sand for myself of the end of this week.
So expect a post with download link by end of day .. March 29th, 2015 PST. There it has been said, and soon as this post is published it must be a reality.
: As I was writing, I realized that I was switching between being lazy and using abbreviations and spelling out the whole terms. Since the terms also appear in the application itself, I thought I would explain:
Here the are new features:
- NK - Named Registry Key (visually represented as a folder icon in the application)
- VK - Value Registry Key (visually represented as a file document icon in the application)
The main interface layout has remained basically the same, with the only alteration being the addition of the "Bookmarks" (upper left) and "VK Data Hex" (lower left) tabs. Most of the additional features are available through drop down menus.
|Table displays VK and NK.|
The data table (picture aboce) which displays the registry keys, for the Named Key selected in the tree on the left hand side, now displays both the Value Key and Named Key. Previous it only displayed the Value Keys for the selected Name Key. This table allows you to drill down in the registry structure by double clicking on a Named Key in the table.
You can now bookmark the selected key in the data table. This allows you to identify keys of interest for reporting purposes and bookmarking them for later reference.
The bookmarked registry key can be found under the "Bookmarks" tab. Selecting the bookmark will cause the data table to display key or keys children.
You can now select a key of interest (NK or VK) and populate the Timestamp tab with entries within 1Hr or 24Hrs of the selected NK key or selected VK key's parent.
|Hex of Value|
You can now view and interact with the hex data for the Value Keys raw data through a hex control (pictured above) under the "VK Data Hex" tab. This allows you to copy values, hash data selections, and much more. This hexcontrol only displays the data for the selected Value key.
|Raw Hive - View|
You can also view the selected key in situ within the hive itself (pictured above). This is launched through a drop down menu from the data table and the hexcontrol is displayed in a dialog window. The selected key is broken out into it's separate parts so you can see the internal structure. Placing the mouse cursor over a colored break out region causes a tool tip to display the selection name i.e. Slack (in the picture above).
|Raw Hive - View|
A limited data probe feature has been implemented. Manually selecting bytes will cause the data to be interpreted if the selection size matches the type i.e. a 2 byte selection populates the rows: Char. UInt16, and Int16. Clicking on a break out region causes that region to automatically be selected and the value displayed in the probe table. In the picture above, the cell size was clicked on and the value of the cellsize (-88) can be see in the Int32 row.
The following features are in the pipeline to be completed:
- Indicator of Compromise (IOC)
- Registry IOCs based on Mandiant OpenIOC format.
- Online support for sharing registry IOC definitions.
- Creation of IOCs based on the select key, or selected data.
- IOC report generation.
- Note: if anyone has examples of RegistryIOCs that they currently use or have created. I would appreciate seeing them.
Recovery Of Keys
- Adding value keys with timestamps within the keys data to the timestamp filtering.
- This feature allows items like UserAssist entries which can have an embedded timestamp to be used for timeline based activity tracking.
- Users can define a custom helper for keys which have a fixed offset for the timestamp and where the key can be identified through a direct full path or regex full path match.
- Registry value keys which have a variable offset will be support and developed as time allows and user interest warrants.
- Key recovery has been written, but I've not taken the time to complete my due dilligence, to my satisfaction, so it will not be part of the initial beta release.