Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry

Some interesting scripts, probably outdated but still useful.

In 2012 Jacky Fox, on her MSc dissertation focused on extraction and correlation of Windows registry artifacts.

During her research she realised a set of bash script for forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices.

A useful starting point for anyone who wants to develop their own analysis scripts.

Below a brief overview:

Collect and preserve registry files

Utility to unzip registry files collected via

Correlate and present registry networking information in a concise manner

Present System information information in a clear and connected manner

Present information about previously connected USB devices in a clear and related manner.

Present information about users in a clear and related manner

More information and downloads

Related posts

  1. How to extract sysdiagnose logs for forensic purposes on iOS
  2. Technology Roundup #16
  3. Backdoorplz, a privilege escalation tool for Windows
  4. SIGRed: a 17-year-old wormable vulnerability in Windows DNS server
  5. Using .lnk files as zero-touch downloaders