Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry

Some interesting scripts, probably outdated but still useful.

In 2012 Jacky Fox, on her MSc dissertation focused on extraction and correlation of Windows registry artifacts.

During her research she realised a set of bash script for forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices.

A useful starting point for anyone who wants to develop their own analysis scripts.

Below a brief overview:

Collect and preserve registry files

Utility to unzip registry files collected via

Correlate and present registry networking information in a concise manner

Present System information information in a clear and connected manner

Present information about previously connected USB devices in a clear and related manner.

Present information about users in a clear and related manner

More information and downloads

Related posts

  1. If you’re a fan of Volatility, you’ll love CrowdStrike’s SuperMem
  2. How “Process Ghosting“ works
  3. Windows registry Transaction Logs in forensic analysis
  4. How to detect Cobalt Strike Beacons using Volatility
  5. How to process recent Windows 10 memory dumps in Volatility 2