strozfriedberg/notatin

Notatin is a Rust parser for offline Windows Registry files

This project is currently pre-release and should not be used for active investigations

Notatin

. .

Features

  • Implemented using 100% safe Rust and works on all platforms supported by Rust (that have stdlib). Tested in Windows and Ubuntu.
  • Supports applying transaction logs and recovering deleted and modified keys and values.
  • Supports exporting to JSONL, TSV, and Eric Zimmerman's common registry format (https://github.com/EricZimmerman/Registry).
  • Python bindings are included in the project (pynotatin).

notatin (crate)

notatin is a library that parses Windows Registry files.

reg_dump (utility)

reg_dump is a binary utility provided with this crate. It parses primary registry files (with optional transaction logs) and exports to JSONL, TSV, or common format. An optional key path filter may also be supplied. Optional analysis to recover deleted and prior versions of keys and values from the transaction log is also supported.

JSONL dumps all the data. TSV dumps some of the data. Common dumps what common wants.

Notatin Registry Dump 0.1

USAGE:
    reg_dump [FLAGS] [OPTIONS] --input <FILE(S)> --output <FILE> -t <type>

FLAGS:
    -r, --recover    Recover deleted and versioned keys and values

OPTIONS:
    -i, --input <FILE(S)>    Base registry file with optional transaction log(s) (Comma separated list)
    -o, --output <FILE>      Output file
    -f, --filter <STRING>    Key path for filter (ex: 'ControlSet001\Services')
    -t <TYPE>                output type [default: jsonl]  [possible values: Jsonl, Common, Tsv]

reg_compare (utility)

reg_compare is a binary utility provided with this crate. It will compare two registry files (with optional transaction logs) and produce a report of the differences in a format similar to that of Regshot.

Notatin Registry Compare 0.1

USAGE:
    reg_compare [OPTIONS] --base <FILES> --comparison <FILES> --output <FILE>

OPTIONS:
    -b, --base <FILES>          Base registry file with optional transaction file(s) (Comma separated list)
    -c, --comparison <FILES>    Comparison registry file with optional transaction file(s) (Comma separated list)
    -f, --filter <STRING>       Key path for filter (ex: 'ControlSet001\Services')
    -o, --output <FILE>         Output file

Library usage

use notatin::{
    err::Error,
    filter::{Filter, RegQuery},
    parser::Parser,
};

fn main() -> Result<(), Error> {
    let mut parser = Parser::from_path(
        "system",
        Some(vec!["system.log1", "system.log2"]),
        Some(Filter::from_path(RegQuery::from_key(
            r"Software\Microsoft",
            false, // key path doesn't contain the root name
            true, // return children of the key path
        ))),
        false, // don't recover deleted/modified
    )?;

    for key in parser.iter() {
        println!("{}", key.path);
        for value in key.value_iter() {
            println!("\t{} {:?}", value.value_name, value.get_content());
        }
    }
    Ok(())
}

Opening files and iterating the results is intended to be straightforward. By default, iteration is prefix order; postorder traversal (children before parents) is available as well.

for key in parser.iter_postorder() {
    //...
}

Result filters are optional, but they can speed up processing as Notatin will skip parsing what doesn't match. Filters may include regular expressions or literal paths but setting up a regular expression filter needs to be streamlined (see Upcoming Improvements)

let filter = Filter {
    reg_query: Some(RegQuery {
        key_path: vec![
            RegQueryComponent::ComponentString(
                "control Panel".to_string().to_ascii_lowercase(),
            ),
            RegQueryComponent::ComponentRegex(Regex::new("access.*").unwrap()),
            RegQueryComponent::ComponentRegex(Regex::new("keyboard.+").unwrap()),
        ],
        key_path_has_root: false,
        children: false,
    }),
};

Upcoming improvements

  • Recover deleted keys and values from the primary registry file
  • Support for optional Hachoir-light style struct information
  • Improve regular expression filter creation
  • Improve performance of transaction log analysis

What is Notatin?

Notatin is another name for the enzyme glucose oxidase. Glucose oxidase catalyzes the oxidation of glucose to hydrogen peroxide. It is present in honey because honeybees synthesize the enzyme and deposit it into the honey, where it acts as a natural preservative. So, Notatin preserves honey. https://en.wikipedia.org/wiki/Glucose_oxidase

Copyright

Copyright 2021 Aon Cyber Solutions. Notatin is licensed under the Apache License, Version 2.0.

Information - Updated Oct 27, 2021

Stars: 0
Forks: 0
Issues: 0

Rust library for Self Organising Maps (SOM)

Add rusticsom as a dependency in Cargo

Rust library for Self Organising Maps (SOM)

Rust library for parsing configuration files

The 'option' can be any string with no whitespace

Rust library for parsing configuration files

Rust library for the Pimoroni Four Letter pHAT

This library aims to port ht16k33 (or rather a fork, as of right now) so credit goes to ht16k33-diet

Rust library for the Pimoroni Four Letter pHAT

Rust library for emulating 32-bit RISC-V

This library can execute instructions against any memory and register file that implements

Rust library for emulating 32-bit RISC-V

Rust library for connecting to the IPFS HTTP API using Hyper/Actix

You can use actix-web as a backend instead of hyper

Rust library for connecting to the IPFS HTTP API using Hyper/Actix

Rust library to manipulate file system access control lists (ACL) on macOS, Linux, and FreeBSD

This module provides two high level functions, getfacl and setfacl

Rust library to manipulate file system access control lists (ACL) on macOS, Linux, and FreeBSD

Rust library translation (rust-src/rust-std/stdlib/rustlib translation)

This is the place to translate Having a documentation in your native language is essential if you don't speak English, and still enjoyable even if...

Rust library translation (rust-src/rust-std/stdlib/rustlib translation)

Rust library for using Infrared hardware decoders (For example a Vishay TSOP* decoder),

enabling remote control support for embedded project

Rust library for using Infrared hardware decoders (For example a Vishay TSOP* decoder),

Rust library for interaction with the OriginTrail Decentralized Knowledge Graph

open up an issue on this repository and let us know

Rust library for interaction with the OriginTrail Decentralized Knowledge Graph

Rust library for parsing COLLADA files

Notice: This library is built around files exported from Blender 2

Rust library for parsing COLLADA files

Rust library for low-level abstraction of MIPS32 processors

This project is licensed under the terms of the MIT license

Rust library for low-level abstraction of MIPS32 processors
Facebook Instagram Twitter GitHub Dribbble
Privacy