The RegLookup project is devoted to direct analysis of Windows NT-based registry files. RegLookup provides command line tools, a C API, and a Python module for accessing registry data structures. The project has a focus on providing tools for digital forensic examiners (though it is useful for many purposes), and includes algorithms for retrieving deleted data structures from registry hives.
|Tags||Security Forensics Recovery Tools Diagnostics Systems Administration Utilities|
|Operating Systems||POSIX Unix|
|Implementation||Unix Shell C Python 2.6 and above|
Release Notes: This bugfix release addresses some issues identified since the last release and includes no significant changes to functionality. Fixes include minor changes and fixes to Unicode handling in pyregfi, a correction for an infinite loop on corrupted registries, an added ldconfig call during installation, and improved error reporting.
Release Notes: SK records and security descriptors are now accessible in pyregfi. Key caching was added to regfi, and SK caching was reintroduced. Minor API simplifications were made and documentation was improved. Numerous bugs were fixed.
Release Notes: This 1.0 release candidate contains major improvements to regfi usability. regfi was made a proper library, and major improvements were made to the API. Python bindings (pyregfi) were added for regfi. The Make-based build system was replaced with a SCons-based one. Numerous improvements were made in regfi for multithreaded use and memory management. API documentation was improved.
Release Notes: Big data support was improved and added to reglookup-recover. A -i option was added to reglookup for assisting with timeline generation. Unicode support was improved by correctly interpreting UTF-16LE key and value names. Data type interpretation was moved into regfi, and the regfi library interface was reorganized. regfi documentation was improved and Doxygen formatting was added.
Release Notes: Experimental support for "big data" records. Experimental support cross-compiling to Windows using MinGW. Correctly handles known key flags. Overhauled memory allocation by switching to talloc. Many memory leaks have been fixed. Improved recovery rate in reglookup-recover with more modular parsing of deleted structures. Fixes for minor NULL pointer dereferences.