Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry

Some interesting scripts, probably outdated but still useful.

In 2012 Jacky Fox, on her MSc dissertation focused on extraction and correlation of Windows registry artifacts.

During her research she realised a set of bash script for forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices.

A useful starting point for anyone who wants to develop their own analysis scripts.

Below a brief overview:

Collect and preserve registry files

Utility to unzip registry files collected via

Correlate and present registry networking information in a concise manner

Present System information information in a clear and connected manner

Present information about previously connected USB devices in a clear and related manner.

Present information about users in a clear and related manner

More information and downloads

Related posts

  1. My Weekly RoundUp #128
  2. Full Disk Encryption: tools and setup suggestion for personal data protection
  3. CVE-2020-0601: a critical Windows vulnerability discovered by…NSA!
  4. A brand-new mass attack uses BlueKeep exploit to infect with Monero miners
  5. Some thoughts about Windows 10 “Timeline” forensics artifacts