The DFIR thing reg parsing #1

Adding registry parsing to the DFIR thing

The Windows registry contains a lot of valuable information for investigating the devices. It can be a daunting task to get started with it but there are awesome tools like the Eric Zimmerman tools which offers great way to get started. I also want to include the registry parsing at least in some format to the DFIR thing. I implemented the preliminary version with the help of Regipy – a python based tool to parse the registry with different interesting options.

Parsing the registry files

The Regipy tool can replay the transaction logs to the hives if they have not been cleanly exit, which is often the case when taking a snapshot of the data from a Windows device. I started by creating a script which takes this in account; it looks for the registry files and if the script is able to find the log files and they are not empty it replays the log files to the registry.

Screenshot of the script running in container.

After the logs have been parsed the script saves the paths to the registry hive files to a dict. Then the Regipy plugins are run against all the registry hives and the output is saved as a json file, which in theory should be very easy to ingest to ELK. In theory.

I tried to create a default json parser for logstash but it did not read the json file properly. It is in my opinion correctly formatted and services like jsonlint do state that it should work. However, Logstash does not like the format. I have been relatively busy so I haven’t had too much time to debug this issue, but I did try different type of workaround and could not fix it. So it will wait for the next time.

Containerizing the solution

I added this as part of the existing docker compose file; docker-compose-scans.yml. It is super simple as it is only installing the requirements to python and then launching the script:

Docker-compose configuration.

When starting the scans file it will run this as the last docker container and then the data is being output to the /logstash/ingest/regipy_json folder. The JSON files are prettified so that they are easyish to analyze, however it is far from being as usable as if it would be if ingested to ELK. So I need to fix that in the future.

I’ll try to work on the fix but I don’t know yet when that will be released as I am relatively busy currently. I’ll do my best!

Link to the Github repo containing the DFIR thing.

Youtube video explaining how this works.