Regkeval published.

Finally I have published Regkeval. The tool is intended to facilitate the initial examination of computers by retrieving and classifying specific key values of the registry.

The aim is to help forensic analysts in the initial phase when reviewing the Windows registry by inspecting keys of interest, e.g. the registry keys and values involved in malware persistence, prior to start searching in deep with Regripper or any other tool of your choice.

  The values are read from a list that can be customized using wildcards. When all the values have been read they are classified using two more lists. The first one contains those values that the investigator considers normal or pertaining to the system. The second one has values that are considered malware and values that are considered of special relevance.

The tool it's written in Perl and works on offline registry hives. The description included on the file says:

# Two arguments are required: full path to System and Software hives and full path to all users hives.
# e.g.: perl regkeval.pl d:\cases\C1\hives d:\cases\C1\hives\users
# perl regkeval.pl d:\cases\C2\allhives d:\cases\C2\allhives
#
# System, software and ntuser hives must contain those words in their own file names.
# The selection of the CurrentControlSet is made reading the registry.
# In order to assist the analyst when reviewing the output the tool automatically retrieves this
# information of any CLSID contained in the data of a value:
# InprocHandler32,InprocServer32,LocalServer32,ProgID - Default values
#
# The output consist of three files:
# Raw output: all registry values retrieved.
# Revised output: like the raw output plus the calification of the data based on the information
# contained in "regkeval_val_malw_espec.tsv" and "regkeval_val_justif.tsv".
# HTML output: For easy inspection of results.
#
# The output is classified as:
# Cero - Known values.
# Uno - Unknown values.
# Dos - Malware values.
# Cuatro - Special values of interest.
#
# The classification is based on the values provided in the files "regkeval_val_justif.tsv" and
# "regkeval_val_malw_espec.tsv".
# All values in "regkeval_val_justif.tsv" are Cero class and the match must be exact to get it out.
# All values in "regkeval_val_malw_espec.tsv" have their own classification and the match is based
# only in the value from the column "Indicator".
#
# List of possible filters for retrieving data from values in subkeys of the hive:
# :::vk::: - Retrieves all values and keys
# :::v::: - Retrieves all values
# :::*::: - Any key
# :::*any_word*::: - Filter keys containing "any_word"
# value1&&value2&&value3... - Filter values
# The filters must end with the value/s to retrieve.
#
#
# Files needed:
#
# regkeval_html.dat - Main part of the html output.
# regkeval_val_malw_espec.tsv - List of known malware values of interest.
# You must maintain the format when modifiying the content.
# regkeval_val_justif.tsv - List of known good values that can be discarded at this moment.
# You must maintain the format when modifiying the content.
# regkeval_HKLM.csv - List of HKLM of interest. You must maintain the format when modifiying the content.
# regkeval_HKU.csv - list of HKU values of interest. You must maintain the format when modifiying the content.

 http://code.google.com/p/regkeval/