Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry

Some interesting scripts, probably outdated but still useful.

In 2012 Jacky Fox, on her MSc dissertation focused on extraction and correlation of Windows registry artifacts.

During her research she realised a set of bash script for forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices.

A useful starting point for anyone who wants to develop their own analysis scripts.


Below a brief overview:

extractreg.sh

Collect and preserve registry files

getraw.sh

Utility to unzip registry files collected via extraxtreg.sh

networkinfo.sh

Correlate and present registry networking information in a concise manner

systeminfo.sh

Present System information information in a clear and connected manner

usbdevices.sh

Present information about previously connected USB devices in a clear and related manner.

userinfo.sh

Present information about users in a clear and related manner


More information and downloads

2 Replies to “Some useful scripts for extraction and correlation of forensic artifacts in Windows Registry”

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.