top of page
  • Writer's pictureKathryn Hedley

Automated USB artefact parsing from the Registry

Let me start by saying that, yes: many tools already exist to parse information out of the Windows Registry. However, while I was conducting my own tool validation processes (see https://github.com/khyrenz/tool_validation), I realised that very few tools parse this information out and automatically populate the kind of table that I would be adding into my forensic report.


So... I did a bit of R&D, and I present to you a Python script that does just that; creatively named parseusbs!


You can download the parseusbs script from here: https://github.com/khyrenz/parseusbs

The script uses the regipy offline Registry hive parser library from Martin G. Korman: https://github.com/mkorman90/regipy/tree/master/regipy. This means that you need to have this dependency installed for the script to run. You can install it using:

pip3 install regipy

What does the script do, I hear you ask! Well... it parses out either individual Registry hive files, or runs through a mounted volume to find and parse the Registry hives. If parsing individual hives, you need to provide the path to the SYSTEM hive. The SOFTWARE and any NTUSER.dat (of which you can provide multiple) hives are optional parameters.


Note: If parsing a mounted volume, depending on how you mounted the volume, you may need to first open the following folders in Explorer, and when presented with the "You don't currently have permission to access this folder" message, click on "Continue":

  • C:/Users/<user>

  • C:/Windows/System32/config

If you see this error, that's what the problem is; follow the steps above (you may need to reboot Windows first if it's being stubborn) and run the script again:


For reference, the script extracts from the following keys/values:

  • SYSTEM\Select\Current -> to get CurrentControlSet

  • SYSTEM\CurrentControlSet\Enum\USB

  • SYSTEM\CurrentControlSet\Enum\USBSTOR

  • SYSTEM\CurrentControlSet\Enum\SCSI

  • SYSTEM\MountedDevices

  • SOFTWARE\Microsoft\Windows Portable Devices\Devices

  • SOFTWARE\Microsoft\Windows Search\VolumeInfoCache

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2


You can output the results in key-value pairs or in CSV format (if you want to copy & paste straight into a table in a report for example).


How to run it...

Get help

python3 parseUSBs.py -h

Parse individual Registry hive files

(In WSL:) python3 parseUSBs.py -s SYSTEM -w SOFTWARE -u NTUSER1.DAT -u NTUSER2.DAT

(In Windows CMD:) python parseUSBs.py -s E:/Windows/System32/config/SYSTEM -w E:/Windows/System32/config/SOFTWARE -o csv

Parse mounted volume

(In Windows CMD:) python parseUSBs.py -v E:

(In WSL:) python3 parseUSBs.py -v /mnt/e

Kommentare


bottom of page