To start my re-introduction to blogging, I am revitalizing prior projects and bringing them up to date. The first project I am revisiting is the Python as a Forensic Tool presentation from 2015, where I built a series (of then called iPython) notebooks that provide a sandbox to learn about scripting for DFIR uses. This project involved several modules, though I am releasing the first revamped one for use today: Registry Parsing in Python.
As a note, I plan to update this to leverage the yarp library in the near future. I will link to that post once it is ready.
Parsing the Registry
This notebook covers the basics of using the python-registry library to parse information from hives and read data from keys and values. Using a sample
SYSTEM hive, we explore how to navigate through the subkeys and extract values of interest in our investigation, as shown in the below sample:
The Jupyter notebook is a great platform for learning how to interact with the library, as it is an interpreter based in the browser (and looks nicer that IDLE). Check out the (in progress) notebook on using Python and Jupyter for a brief refresher and additional resources. The README contains further detail on setup and resources to learn more about the use of Python in DFIR.