AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents

How to Use RECmd – Command Line

To run RECmd, open an administrative command prompt in the folder where RECmd.exe resides and type the following command:

recmd.exe

It will then output the following:

RECmd version 1.5.2.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

d Directory to look for hives (recursively). -f or -d is required.
f Hive to search. -f or -d is required.

kn Display details for key name. Includes subkeys and values
vn Value name. Only this value will be dumped
bn Use settings from supplied file to find keys/values. See included sample file for examples
csv Directory to save CSV formatted results to. Required when -bn is used.
csvf File name to save CSV formatted results to. When present, overrides default name
saveTo Saves --vn value data in binary form to file. Expects path to a FILE
json Export --kn to directory specified by --json. Ignored when --vn is specified

details Show more details when displaying results. Default is FALSE

Base64 Find Base64 encoded values with size >= Base64 (specified in bytes)
MinSize Find values with data size >= MinSize (specified in bytes)

sa Search for <string> in keys, values, data, and slack.
sk Search for <string> in key names.
sv Search for <string> in value names
sd Search for <string> in value record's value data
ss Search for <string> in value record's value slack
literal If true, --sd and --ss search value will not be interpreted as ASCII or Unicode byte strings
nd If true, do not show data when using --sd or --ss. Default is FALSE
regex If present, treat <string> in --sk, --sv, --sd, and --ss as a regular expression. Default is FALSE

dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff
nl When true, ignore transaction log files for dirty hives. Default is FALSE
recover If true, recover deleted keys/values. Default is TRUE

vss Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE
dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE

debug Show debug information during processing
trace Show trace information during processing

Example: RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl
RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01"
RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"

Here is an illustration of what this looks like. Notice how my command prompt is set in the folder where my RECmd executable resides.

This effectively serves as your menu in terms of what you can do to a single registry hive or a directory of registry hives, based on the switches applied from above. Be sure to peruse the manual created by Eric Zimmerman to get a better understanding of what some of these switches do.

A staple in the EZ Tool suite is that any single character is prepended with one hyphen and anything two characters or more is prepended with two hyphens. For instance, see the following examples:

-f vs. --trace

-d vs --ss

Despite the examples showing two hyphens, be sure to use one hyphen for your commands. That being said, for RECmd, one or two hyphens both seem to work and don’t cause any errors for this particular command.

If we want to run RECmd against all of the hives in our Lone Wolf 2018 image, our command will look something like this:

RECmd.exe -d "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config" --bn "M:\Forensics\EZ Tools\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --csv "c:\temp" --debug --trace

This command points to the directory where all of our registry hives reside, and then a batch file is ran against those hives to create one single CSV that we can examine the artifacts from every single hive in that folder. The batch file is nice because it’s all the data from the registry hives in one CSV that with Timeline Explorer will make your life much easier.

Alternatively, you can simple parse out a single registry hive with a command similar to this:

RECmd.exe -f "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config\SYSTEM" --bn "M:\Forensics\EZ Tools\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --csv "c:\temp" --debug --trace

Notice the only difference between the two commands are bolded above. The switch from -d to -f because we’re parsing a file, not a directory of registry hives, and then we needed to add in the file path the registry hive we’re looking to parse. Otherwise, the rest is the same!

For either of these commands, if you process VSCs, it would be wise to alter your command to point to just the KAPE\tout folder so you parse through the registry hives from previous Volume Shadow Copies all at once.

Transaction Logs (–nl Switch)

The –nl switch gives you options regarding replaying transaction logs. If you replay transaction logs, you will be parsing a clean hive. This mean you have the most up to date information within the registry hive as the data within not only SYSTEM but SYSTEM.LOG1 and SYSTEM.LOG2 are compiled together and parsed by RECmd. Therefore, a dirty hive without transaction logs replayed will be missing data. Is the chance slim that the missing data could be your smoking gun? Yes, but do you really want to take that chance? Always replay transaction logs if you can.

To illustrate what difference this switch made in this particular case, here’s the number of lines in Timeline Explorer with and without the –nl switch. Please note, the number of lines is also output by RECmd when you run these commands.

RECmd.exe -f "M:\...\config\SYSTEM" --bn "M:\...\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --nl true --csv "c:\temp" --debug --trace

The above example has 724 lines parsed when the true value is set after the nl switch.

RECmd.exe -f "M:\...\config\SYSTEM" --bn "M:\...\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --nl false --csv "c:\temp" --debug --trace

The above example has 726 lines parsed when the false value is set after the nl switch.

By not replaying transaction logs, we miss out on 2 lines of data. Granted, this image likely wasn’t created with an emphasis on generating massive amounts of registry artifacts. However, extrapolate these results in the real world and understand the importance of ensuring transaction logs are replayed. However unlikely it may be, those 2 lines could be a difference maker in a case!

Side note: I shortened the file paths so desktop and mobile users wouldn’t have to scroll to the right to see the main (bold) takeaways from the command.

How to Use rla.exe

First of all, what even is rla.exe and why is it included with Registry Explorer and RECmd? Well, glad you asked! This program is used to replay transaction logs against a dirty hive and output a clean hive to a specified location particularly as a supplement to other tools that don’t consider or understand transaction logs. It can either output a single registry hive or a directory’s worth of registry hives into a specified location in a clean state.

Command line:

To run rla.exe, open a command prompt in the folder where rla.exe resides and type the following command:

rla.exe

It will then output the following:

rla version 1.5.2.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

d Directory to look for hives (recursively). -f or -d is required.
f Hive to process. -f or -d is required.

out Directory to save updated hives to. Only dirty hives with logs applied will end up in --out directory

ca When true, always copy hives to --out directory, even if they aren't dirty. Default is TRUE
cn When true, compress names for profile based hives. Default is TRUE

debug Show debug information during processing
trace Show trace information during processing

Example: rla.exe --f "C:\Temp\UsrClass 1.dat" --out C:\temp
rla.exe --d "D:\temp\" --out c:\temp

Here is an illustration of what this looks like. Notice how my command prompt is set in the folder where my rla executable resides.

The example commands are pretty straight forward. You’ll point rla.exe to where the registry hive or directory of registry hives is located along with respective transaction logs (.LOG1, LOG2, etc) and then tell it where to output clean version of those hives. Try it on your own system with a command similar to the following:

rla.exe -d "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config" --out c:\temp

Look in your C:\temp folder for the clean registry hives. Examine away!

Examining RECmd Output (CSV)

CSV output is the preferred format to analyze in Timeline Explorer. Alternatively, you can use Excel if that’s more comfortable for you.

Understanding the Artifacts

As always, Tools & Artifacts – Windows is at your disposal for Windows-based artifacts, both system and third-party. The SANS Windows Forensic Analysis (FOR500) and Hunt Evil (FOR508) posters are great resources, as well.

Some other resources: