Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REG_BINARY #2111

Closed
sweesiahh opened this issue Aug 27, 2018 · 6 comments
Closed

REG_BINARY #2111

sweesiahh opened this issue Aug 27, 2018 · 6 comments
Assignees
@joachimmetz
Labels
question

Comments

@sweesiahh
Copy link

Values such as REG_DWORD, REG_SZ are dumped out by default for winreg parser.
However, REG_BINARY values are not being dumped out for registry key values without a specific parser plugin.

So, is there any way to dump REG_BINARY?
@joachimmetz
Copy link
Member

joachimmetz commented Aug 27, 2018
edited
Loading

The idea behind this is that most binary values need additional interpretation.

Plaso is tool to create timelines not a tool to "dump" the contents of Windows Registry files. If you want specific binary data interpreted I opt to create a Windows Registry plugin.

@joachimmetz joachimmetz self-assigned this Aug 27, 2018
@Onager
Copy link
Contributor

Onager commented Aug 27, 2018

Additional question - why do you want to see REG_BINARY data in the timeline? Is the idea to look for malware stored in the registry? Would an indication of the size of the data be useful?

@sweesiahh
Copy link
Author

i am looking to parse the creation of date from the reg_binary of trusted record document registry key so as to find evidence of the creation time if the document got deleted and the MFT record get over written.

http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html

I will try to explore writing a parser on a my free time if possible. Thanks!

@joachimmetz
Copy link
Member

joachimmetz commented Aug 28, 2018
edited
Loading

Yeah if you want to parse the FILETIME value from the binary data and add it to the timeline you'll need to parse the binary data.

Have a look at a relatively comparable Windows Registry parser plugin:
https://github.com/log2timeline/plaso/blob/c4061587187d5aa9cbc80998ee0ce00cad8b28ec/plaso/parsers/winreg_plugins/shutdown.py

Seeing we are in the middle of migration of construct to dtFabric, the documentation of dtFabric is still a bit sparse. Do not hesitate to reach out when you're hitting road blocks.

If you need inspiration regarding a more stand-alone solution that can easily be ported to plaso, have a look at https://github.com/libyal/winreg-kb

@joachimmetz
Copy link
Member

What will help us to implement support for this is test data you can share.

If you cannot share full files, dfWinReg can provide a virtual Windows Registry for testing (see https://github.com/log2timeline/plaso/blob/master/tests/parsers/winreg_plugins/appcompatcache.py#L266 for an example) so a representative example of different versions of the key, its subkeys and values and data would suffice.

@joachimmetz
Copy link
Member

No update from reporter, closing issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joachimmetz joachimmetz

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Onager @joachimmetz @sweesiahh