Blog
Practitioner notes on Windows registry forensics, hive parsing, and DFIR.
- Recovering deleted registry keys and surviving log replay
Unallocated cell recovery, transaction log replay, VSS diffs, and the workflow that catches the registry-edit-and-revert pattern attackers use to clean up.
- The regf hive file format, in practice
What a regf hive actually looks like on disk, why parsing it correctly is harder than people assume, and the tools that get the edges right.
- The Windows registry keys that pay back the time in DFIR
A short list of registry locations that earn their keep in incident response — what they actually tell you, where the misreads happen, and which hive to grab first.
- Persistence via Run keys and the IFEO debugger trick
Every Run/RunOnce variant worth knowing, the IFEO debugger trick, service hijacks, and a detection workflow that catches the boring patterns first.
- ShellBags forensics: the messy artifact that closes cases
What ShellBags actually record, the lazy-write problem that traps analysts, and which tools parse the structure versus which ones drop records.
- UserAssist and the ROT13 program-launch history
What UserAssist records, the GUIDs that matter, the ROT13 encoding, and the edge cases that catch analysts who treat it as a complete execution log.
- NTUSER.DAT vs SOFTWARE vs SYSTEM: which hive answers which question
A working map of which Windows registry hive holds which artifact, when each one matters, and the confusions that cost investigators time on the call.
- How this Registry Parser actually parses your hives (and why nothing gets uploaded)
The technical approach behind a client-side Windows registry hive parser: hivex compiled to WebAssembly, a pure-JS fallback, and what 'never uploaded' really means for chain of custody.
- RegRipper parity: which 91 plugins are in, what's still missing
A practitioner's look at the RegRipper plugins this parser implements (~91 across NTUSER, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS, Amcache) and the long tail still planned.