top of page

Automating Registry Analysis with RECmd

In the world of digital forensics, registry analysis is a crucial task. Today, we’ll dive into RECmd, a powerful command-line tool created by Eric Zimmerman, designed to automate the process of registry analysis. If you’re familiar with Registry Explorer, you’ll find RECmd to be its command-line counterpart, making your work easier and more efficient.


What is RECmd?

RECmd is essentially the command-line version of Registry Explorer. It allows you to automate the extraction of registry data, which can be incredibly useful during forensic investigations. This tool simplifies the process by using batch files to parse multiple registry keys and output the results in a CSV format.


Getting Started with RECmd

To begin, you’ll need to locate the BatchExamples folder within the RECmd directory. Inside, you’ll find files with the .reb extension. These batch files contain multiple registry key locations that RECmd will parse and output in a CSV file.

Inside the .reb file:


Running RECmd

There are several ways to run RECmd, depending on your needs:


1. Running on a Specific Hive

If you want to run RECmd on a specific registry hive, use the following command:

Recmd.exe --bn BatchExamples\Kroll_Batch.reb -f C:\Users\User\NTUSER.DAT --csv C:\Users\akash\Desktop --csvf recmd.csv

--bn specifies the batch file to run.

  • -f indicates the specific hive file.

  • --csv specifies the path where the output will be stored.

  • --csvf names the output file.

You can also use the -vss option to parse using shadow copies.



2. Running on All Hives

To run RECmd on all hives in a directory, use this command:

Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\ --csv C:\Users\akash\Desktop --csvf recmd.csv
  • -d specifies the directory to search for hives.


3. Running on Collected Hives

You can collect all hives (e.g., NTUSER.DATUSERASSISTSYSTEM and more) into one folder and run RECmd on them:

Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\Path\To\Hives --csv C:\Users\akash\Desktop --csvf recmd.csv

4. Running on a Mounted Drive

Another method is to collect an image or use KAPE to create a drive. Mount the drive and run RECmd:

Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d X:\MountedDrive --csv C:\Users\akash\Desktop --csvf recmd.csv

Viewing the Output

Once RECmd has finished running, you can use Timeline Explorer to view the artifacts. This tool provides a user-friendly interface to analyze the CSV output generated by RECmd.

Output Folder:

Screenshot of timeline explorer with output:

Conclusion

RECmd is a versatile and powerful tool for automating registry analysis. By using batch files and command-line options, you can streamline your forensic investigations and quickly extract valuable data from registry hives. Whether you’re working on a single hive or an entire drive, RECmd makes the process efficient and straightforward.


Akash Patel

56 views0 comments

Comments


bottom of page