Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

reglookup-recover(1) [debian man page]

reglookup(1)															      reglookup(1)

NAME

       reglookup-recover - Windows NT+ registry deleted data recovery tool

SYNOPSIS

       reglookup-recover [options] registry-file

DESCRIPTION

       reglookup-recover attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format.

OPTIONS

       reglookup-recover accepts the following parameters:

       -v     Verbose output.

       -h     Enables the printing of a column header row. (default)

       -H     Disables the printing of a column header row.

       -l     Display cells which could not be interpreted as valid registry structures at the end of the output.

       -L     Do not display cells which could not be interpreted as valid registry structures. This is the default behavior.

       -r     Display raw cell contents for cells which were interpreted as intact data structures. This additional output will appear on the same
	      line as the interpreted data.

       -R     Do not display raw cell contents for cells which were interpreted as intact data structures. This is the default behavior.

       registry-file
	      Required argument. Specifies the location of the registry file to read. The system registry files should be  found  under:  %System-
	      Root%/system32/config.

OUTPUT

       reglookup-recover  generates  a comma-separated values (CSV) like output and writes it to stdout. For more information on the syntax of the
       general format, see reglookup(1).

       This tool is new and the output format, particularly the included columns, may change in future	revisions.  When  this	format	stablizes,
       additional documentation will be included here.

EXAMPLES

       To dump the recoverable contents of a system registry hive:

	    reglookup-recover /mnt/win/c/WINDOWS/system32/config/system

       Extract all available unallocated data, including unparsable unallocated space and the raw data associated with parsed cells in a user-spe-
       cific registry:

	    reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'

BUGS

       This program has been smoke-tested against most current Windows target platforms, but a comprehensive test suite has not  yet  been  devel-
       oped.   (Please	report results to the development mailing list if you encounter any bugs. Sample registry files and/or patches are greatly
       appreciated.)

       This program is new as of RegLookup release 0.9.0 and should be considered unstable.

       For more information on registry format details	and  the  recovery  algorithm,	see:  http://sentinelchicken.com/research/registry_format/
       http://sentinelchicken.com/research/registry_recovery/

CREDITS

       This program was written by Timothy D. Morgan.

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed  in  the	hope  that  it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for more details.

SEE ALSO

       reglookup-timeline(1) reglookup-recover(1)

File Conversion Utilities					   8 March 2010 						      reglookup(1)

Check Out this Related Man Page

reglookup-timeline(1)													     reglookup-timeline(1)

NAME

       reglookup-timeline - Windows NT+ registry MTIME timeline generator

SYNOPSIS

       reglookup-timeline [-H] registry-file [registry-file ...]

DESCRIPTION

       This  script  is  a  wrapper for reglookup(1), and reads one or more registry files to produce an MTIME-sorted output. This is helpful when
       building timelines for forensic investigations.

PARAMETERS

       reglookup-timeline accepts one or more registry file names. All of the provided registries will be parsed using reglookup(1). The -H option
       may be used to omit the header line.

OUTPUT

       reglookup-timeline  generates  a  comma-separated  values  (CSV)  compatible  format  to stdout. While the output of reglookup-timeline and
       reglookup(1) differ in the columns returned, the base format is the same.

       Currently, reglookup-timeline returns three columns: MTIME, FILE, and PATH. Only rows representing registry keys are returned, since MTIMEs
       are  not  stored  for  values. The FILE column indicates which registry file (provided as an argument) the key came from. Finally, the PATH
       field contains the full registry path to the key. Records are returned sorted in ascending order based on the MTIME column.

BUGS

       This script is new, and as such it's interface may change significantly over the next few revisions. In particular, additional command line
       options will likely be added, and the output of the script may be altered in minor ways.

       It  is very difficult to find documentation on what precise operations cause the MTIMEs to be updated. Basic experimentation indicates that
       a key's stamp is updated anytime an immediate sub-value or sub-key is created, renamed, deleted, or it's value is modified. If  this  MTIME
       data is critical to an investigation, any conclusions should be validated through experimentation in a controlled lab environment.

       This software should be considered unstable at this time.

CREDITS

       This script was written by Timothy D. Morgan based on suggestions from Uwe Danz.

       Please see source code for a full list of copyrights.

LICENSE

       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed  in  the	hope  that  it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MER-
       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for more details.

SEE ALSO

       reglookup(1) reglookup-recover(1)

File Conversion Utilities					   8 March 2010 					     reglookup-timeline(1)
Man Page