In the world of digital forensics, registry analysis is a crucial task. Today, we’ll dive into RECmd, a powerful command-line tool created by Eric Zimmerman, designed to automate the process of registry analysis. If you’re familiar with Registry Explorer, you’ll find RECmd to be its command-line counterpart, making your work easier and more efficient.
What is RECmd?
RECmd is essentially the command-line version of Registry Explorer. It allows you to automate the extraction of registry data, which can be incredibly useful during forensic investigations. This tool simplifies the process by using batch files to parse multiple registry keys and output the results in a CSV format.
Getting Started with RECmd
To begin, you’ll need to locate the BatchExamples folder within the RECmd directory. Inside, you’ll find files with the .reb extension. These batch files contain multiple registry key locations that RECmd will parse and output in a CSV file.
Inside the .reb file:
Running RECmd
There are several ways to run RECmd, depending on your needs:
1. Running on a Specific Hive
If you want to run RECmd on a specific registry hive, use the following command:
Recmd.exe --bn BatchExamples\Kroll_Batch.reb -f C:\Users\User\NTUSER.DAT --csv C:\Users\akash\Desktop --csvf recmd.csv
--bn specifies the batch file to run.
-f indicates the specific hive file.
--csv specifies the path where the output will be stored.
--csvf names the output file.
You can also use the -vss option to parse using shadow copies.
2. Running on All Hives
To run RECmd on all hives in a directory, use this command:
Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\ --csv C:\Users\akash\Desktop --csvf recmd.csv
-d specifies the directory to search for hives.
3. Running on Collected Hives
You can collect all hives (e.g., NTUSER.DAT, USERASSIST, SYSTEM and more) into one folder and run RECmd on them:
Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d C:\Path\To\Hives --csv C:\Users\akash\Desktop --csvf recmd.csv
4. Running on a Mounted Drive
Another method is to collect an image or use KAPE to create a drive. Mount the drive and run RECmd:
Recmd.exe --bn BatchExamples\Kroll_Batch.reb -d X:\MountedDrive --csv C:\Users\akash\Desktop --csvf recmd.csv
Viewing the Output
Once RECmd has finished running, you can use Timeline Explorer to view the artifacts. This tool provides a user-friendly interface to analyze the CSV output generated by RECmd.
Output Folder:
Screenshot of timeline explorer with output:
Conclusion
RECmd is a versatile and powerful tool for automating registry analysis. By using batch files and command-line options, you can streamline your forensic investigations and quickly extract valuable data from registry hives. Whether you’re working on a single hive or an entire drive, RECmd makes the process efficient and straightforward.
Akash Patel
Comments