RECmd: command line tool for Windows Registry analysis

During an incident response, a fast analysis could be required, often on systems that aren’t the workstation usually used by the analyst.
So, I always suggest to create a small and simple toolkit that can be copied on a USB stick.

My own toolkit is mainly composed of command line tools with the smallest amount of requirements , and today i wanto to share a small cheatsheet for Eric Zimmerman‘s RECmd tool [1].


The tool

RECmd [3] is a command-line tool is useful to access, search and recover, and export any data found in the Windows registry.
Is the command-line version of GUI app RegistryExplorer [2], with wich it shares the same plugins.
However, the GUI version of the tool is larger than 60 Mb, while the command line version is only 6MB, very useful in a small, portable, toolkit.


A brief cheatsheet

Search the registry

Scan NTUSER.dat for the key name that contains “Skype”:

RECmd.exe -f .\NTUSER.dat --sk Skype

Search UsrClass.dat for the key value that contains “Skype”:

RECmd.exe -f .\UsrClass.dat --sd Skype

Scan the whole directory registry_files for the key value that contains “Skype”, with last write time >= Startdate and containing either “AppName” or “DisplayName”, without recover deleted keys (–recover false) and without replay and apply all registry hive logs automatically (–nl):

RECmd.exe --d "C:\Temp\registry_files\" --sk "Skype" --StartDate "02/01/202020 10:00:00" --RegEx --sv "(App|Display)Name" --recover false --nl

The Batch Mode

A really useful feature of RECmd is the Batch Mode: using the same plugins of Registry Explorer, it allows to export data from the plugin into a normalized, standard CSV output.

When a plugin is used to process a key or key/value, the data generated by the plugin are also saved out to a CSV for further analysis.

A batch file is composed by two section, an Header and a Keys section.

The Header

  • Description: A general description of what this batch file is going to find
  • Author: Name of this batch file (can be more, too, like contact information)
  • Version: A version number that should be incremented as changes happen
  • Id: A unique (across all other batch files) GUID (Global Unique Identifier) that identifies this batch file

The Keys section

Each key contains:

  • Description: A user-friendly description of what this key will find. Can be anything from the key name to a friendlier description of what it means.
  • HiveType: The type of hive this entry corresponds to. Valid choices are NTUSER, SAM, SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS, AMCACHE, SYSCACHE
  • KeyPath: The path to the key to look for
  • ValueName: OPTIONAL value that, when present, is looked for under KeyPath
  • Recursive: Whether or not to process KeyPath recursively
  • Comment: Like Description in that you can add various things here that end up in the CSV

Example batch file:

Description: Sample RECmd batch file of a whole lot of stuff
 Author: Eric Zimmerman
 Version: 1
 Id: ab13eb5f-31db-5cdc-83df-88ec12dc1a
 Keys:
     -
         Description: Typed URLs
         HiveType: NTUSER
         Category: Browser history
         KeyPath: Software\Microsoft\Internet Explorer\TypedURLs
         Recursive: false
         Comment: A comment about Typed URLs
     -
         Description: WordWheelQuery
         HiveType: NTUSER
         Category: User searches
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
         Recursive: true
         Comment: Dear lawyer, this is what a bad guy searched for
     -
         Description: Network MRU
         HiveType: NTUSER
         Category: Network shares
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
         ValueName: MRUList
         Recursive: false
         Comment: An example limited to a key and value
     -
         Description: UserAssist
         HiveType: NTUSER
         Category: Execution
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
         Recursive: true
         Comment: No comment
     -
         Description: Some non-existent key
         HiveType: SYSTEM
         Category: Fake
         KeyPath: Software\Wizzo\john\doe
         Recursive: true
         Comment: this is only here to show you what will happen if a key isnt found!
     -
         Description: Some non-existent key 2
         HiveType: NTUSER
         Category: Fake
         KeyPath: Software\Wizzo\john\doe
         Recursive: true
         Comment: Another non-existent key to keep you on your toes
     -
         Description: MountedDevices
         HiveType: SYSTEM
         Category: Devices
         KeyPath: MountedDevices
         Recursive: false
         Comment: Drive info yo!
     -
         Description: MountedDevicesNope
         HiveType: SYSTEM
         Category: Devices
         KeyPath: MountedDevicesNope
         Recursive: false
         Comment: So close
     -
         Description: Select current
         HiveType: SYSTEM
         Category: Devices
         KeyPath: Select
         ValueName: Current
         Recursive: false
         Comment: What is the current control set?
     -
         Description: Setup
         HiveType: SYSTEM
         Category: Devices
         KeyPath: Setup
         Recursive: false
         Comment: The entire setup key + values

References

  1. Eric Zimmerman’s tools
  2. Registry Explorer and RECmd 1.2.0.0 released!
  3. https://github.com/EricZimmerman/RECmd

Related posts

  1. Cold Boot attack in Digital Forensics
  2. Some thoughts about smartphones data extraction
  3. Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry