analyzing-windows-registry-for-artifacts

Featured

Extract and analyze Windows Registry hives to uncover user activity, installed software, autostart entries, and evidence of system compromise.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows Registry for Artifacts ## When to Use - When investigating user activity on a Windows system during an incident - For identifying autorun/persistence mechanisms used by malware - When tracing installed software, USB devices, and network connections - During insider threat investigations to reconstruct user actions - For correlating registry timestamps with other forensic artifacts ## Prerequisites - Forensic image or extracted registry hive files - RegRipper, Registry Explorer (Eric Zimmerman), or python-registry - Access to registry hive locations (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat) - Understanding of Windows Registry structure (hives, keys, values) - SIFT Workstation or forensic analysis environment ## Workflow ### Step 1: Extract Registry Hives from the Forensic Image ```bash # Mount the forensic image read-only mkdir /mnt/evidence mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence # Copy system registry hives cp /mnt/evidence/Windows/System32/config/SAM /cases/case-2024-001/registry/ cp /mnt/evidence/Windows/System32/config/SYSTEM /cases/case-2024-001/registry/ cp /mnt/evidence/Windows/System32/config/SOFTWARE /cases/case-2024-001/registry/ cp /mnt/evidence/Windows/System32/config/SECURITY /cases/case-2024-001/registry/ cp /mnt/evidence/Windows/System32/config/DEFAULT /cases/case-2024-001/registry/ # Copy user-specific hives cp /mnt/evidence/Users/*/NTUSER.DAT /cases/case-2024-001/registry/ ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-usb-device-connection-history

Investigate USB device connection history from Windows registry, event logs, and setupapi logs to track removable media usage and potential data exfiltration.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-shellbag-artifacts

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable media and network shares, and establish user interaction with directories even after deletion using SBECmd and ShellBags Explorer.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-amcache-artifacts

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

12,642 Updated today
mukul975
AI & Automation Featured

performing-malware-persistence-investigation

Systematically investigate all persistence mechanisms on Windows and Linux systems to identify how malware survives reboots and maintains access.

12,642 Updated today
mukul975
AI & Automation Featured

investigating-ransomware-attack-artifacts

Identify, collect, and analyze ransomware attack artifacts to determine the variant, initial access vector, encryption scope, and recovery options.

12,642 Updated today
mukul975