Expand description
Forensic artifact decoders for Windows Registry.
Modules§
- amcache
- Amcache registry artifact extractor.
- catalog_
scan - Catalog-driven registry artifact scanner.
- com_
hijacking - COM object hijacking detection from offline registry hives.
- lsadump
- LSA dump artifact decoder (
lsadump). - lxss
- WSL distro registration parser — HKCU\Software\Microsoft\Windows\CurrentVersion\Lxss
- path_
expansion - Unified registry path-expansion engine.
- registry_
keys - Generic registry key/value walker — foundation module for forensic artifact extraction.
- run_
keys - Windows autostart (Run/RunOnce) registry key artifact extractor.
- sam
- Windows SAM hive artifact extractor.
- shellbags
- ShellBags registry artifact extractor.
- shimcache
- ShimCache (AppCompatCache) registry artifact extractor.
- svc_
diff - Windows service anomaly detector (
svc_diff). - typed_
urls - Internet Explorer / Edge TypedURLs registry artifact extractor.
- userassist
- UserAssist registry artifact extractor.