Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – Registry Explorer – GUI
- Page 3 – RECmd – Command Line, How to Use rla.exe, Examining RECmd Output (CSV)
- Page 4 – Conclusion, Registry-Related CTFs, Related Blogs Posts/Videos, Change Log
How to Use RECmd – Command Line
To run RECmd, open an administrative command prompt in the folder where RECmd.exe resides and type the following command:
It will then output the following:
RECmd version 22.214.171.124 Author: Eric Zimmerman (email@example.com) https://github.com/EricZimmerman/RECmd Note: Enclose all strings containing spaces (and all RegEx) with double quotes d Directory to look for hives (recursively). -f or -d is required. f Hive to search. -f or -d is required. kn Display details for key name. Includes subkeys and values vn Value name. Only this value will be dumped bn Use settings from supplied file to find keys/values. See included sample file for examples csv Directory to save CSV formatted results to. Required when -bn is used. csvf File name to save CSV formatted results to. When present, overrides default name saveTo Saves --vn value data in binary form to file. Expects path to a FILE json Export --kn to directory specified by --json. Ignored when --vn is specified details Show more details when displaying results. Default is FALSE Base64 Find Base64 encoded values with size >= Base64 (specified in bytes) MinSize Find values with data size >= MinSize (specified in bytes) sa Search for <string> in keys, values, data, and slack. sk Search for <string> in key names. sv Search for <string> in value names sd Search for <string> in value record's value data ss Search for <string> in value record's value slack literal If true, --sd and --ss search value will not be interpreted as ASCII or Unicode byte strings nd If true, do not show data when using --sd or --ss. Default is FALSE regex If present, treat <string> in --sk, --sv, --sd, and --ss as a regular expression. Default is FALSE dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff nl When true, ignore transaction log files for dirty hives. Default is FALSE recover If true, recover deleted keys/values. Default is TRUE vss Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE debug Show debug information during processing trace Show trace information during processing Example: RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01" RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
Here is an illustration of what this looks like. Notice how my command prompt is set in the folder where my RECmd executable resides.
This effectively serves as your menu in terms of what you can do to a single registry hive or a directory of registry hives, based on the switches applied from above. Be sure to peruse the manual created by Eric Zimmerman to get a better understanding of what some of these switches do.
A staple in the EZ Tool suite is that any single character is prepended with one hyphen and anything two characters or more is prepended with two hyphens. For instance, see the following examples:
-f vs. --trace -d vs --ss
Despite the examples showing two hyphens, be sure to use one hyphen for your commands. That being said, for RECmd, one or two hyphens both seem to work and don’t cause any errors for this particular command.
If we want to run RECmd against all of the hives in our Lone Wolf 2018 image, our command will look something like this:
RECmd.exe -d "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config" --bn "M:\Forensics\EZ Tools\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --csv "c:\temp" --debug --trace
This command points to the directory where all of our registry hives reside, and then a batch file is ran against those hives to create one single CSV that we can examine the artifacts from every single hive in that folder. The batch file is nice because it’s all the data from the registry hives in one CSV that with Timeline Explorer will make your life much easier.
Alternatively, you can simple parse out a single registry hive with a command similar to this:
RECmd.exe -f "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config\SYSTEM" --bn "M:\Forensics\EZ Tools\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --csv "c:\temp" --debug --trace
Notice the only difference between the two commands are bolded above. The switch from -d to -f because we’re parsing a file, not a directory of registry hives, and then we needed to add in the file path the registry hive we’re looking to parse. Otherwise, the rest is the same!
For either of these commands, if you process VSCs, it would be wise to alter your command to point to just the KAPE\tout folder so you parse through the registry hives from previous Volume Shadow Copies all at once.
Transaction Logs (–nl Switch)
The –nl switch gives you options regarding replaying transaction logs. If you replay transaction logs, you will be parsing a clean hive. This mean you have the most up to date information within the registry hive as the data within not only SYSTEM but SYSTEM.LOG1 and SYSTEM.LOG2 are compiled together and parsed by RECmd. Therefore, a dirty hive without transaction logs replayed will be missing data. Is the chance slim that the missing data could be your smoking gun? Yes, but do you really want to take that chance? Always replay transaction logs if you can.
To illustrate what difference this switch made in this particular case, here’s the number of lines in Timeline Explorer with and without the –nl switch. Please note, the number of lines is also output by RECmd when you run these commands.
RECmd.exe -f "M:\...\config\SYSTEM" --bn "M:\...\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --nl true --csv "c:\temp" --debug --trace
The above example has 724 lines parsed when the true value is set after the nl switch.
RECmd.exe -f "M:\...\config\SYSTEM" --bn "M:\...\RegistryExplorer\BatchExamples\RECmd_Batch_MC.reb" --nl false --csv "c:\temp" --debug --trace
The above example has 726 lines parsed when the false value is set after the nl switch.
By not replaying transaction logs, we miss out on 2 lines of data. Granted, this image likely wasn’t created with an emphasis on generating massive amounts of registry artifacts. However, extrapolate these results in the real world and understand the importance of ensuring transaction logs are replayed. However unlikely it may be, those 2 lines could be a difference maker in a case!
Side note: I shortened the file paths so desktop and mobile users wouldn’t have to scroll to the right to see the main (bold) takeaways from the command.
How to Use rla.exe
First of all, what even is rla.exe and why is it included with Registry Explorer and RECmd? Well, glad you asked! This program is used to replay transaction logs against a dirty hive and output a clean hive to a specified location particularly as a supplement to other tools that don’t consider or understand transaction logs. It can either output a single registry hive or a directory’s worth of registry hives into a specified location in a clean state.
To run rla.exe, open a command prompt in the folder where rla.exe resides and type the following command:
It will then output the following:
rla version 126.96.36.199 Author: Eric Zimmerman (firstname.lastname@example.org) https://github.com/EricZimmerman/RECmd Note: Enclose all strings containing spaces (and all RegEx) with double quotes d Directory to look for hives (recursively). -f or -d is required. f Hive to process. -f or -d is required. out Directory to save updated hives to. Only dirty hives with logs applied will end up in --out directory ca When true, always copy hives to --out directory, even if they aren't dirty. Default is TRUE cn When true, compress names for profile based hives. Default is TRUE debug Show debug information during processing trace Show trace information during processing Example: rla.exe --f "C:\Temp\UsrClass 1.dat" --out C:\temp rla.exe --d "D:\temp\" --out c:\temp
Here is an illustration of what this looks like. Notice how my command prompt is set in the folder where my rla executable resides.
The example commands are pretty straight forward. You’ll point rla.exe to where the registry hive or directory of registry hives is located along with respective transaction logs (.LOG1, LOG2, etc) and then tell it where to output clean version of those hives. Try it on your own system with a command similar to the following:
rla.exe -d "M:\Forensics\Lone Wolf 2018\KAPE\tout\D\Windows\System32\config" --out c:\temp
Look in your C:\temp folder for the clean registry hives. Examine away!
Examining RECmd Output (CSV)
Understanding the Artifacts
As always, Tools & Artifacts – Windows is at your disposal for Windows-based artifacts, both system and third-party. The SANS Windows Forensic Analysis (FOR500) and Hunt Evil (FOR508) posters are great resources, as well.
Some other resources:
- OpenSaveMRU and LastVisitedMRU