dfWinReg
dfWinReg is a Python 3 library that provides read-only access to Windows Registry objects. It offers a generic interface mimicking the Registry key hierarchy as seen on a live Windows system.
Description
dfWinReg, or Digital Forensics Windows Registry, is designed for digital forensics investigations involving Windows systems. It enables analysts to parse and examine Windows Registry files extracted from disk images or acquired memory dumps without needing a live Windows environment.
Use cases include timeline analysis, artifact recovery, and configuration reconstruction from registry hives like SYSTEM, SOFTWARE, SECURITY, SAM, and NTUSER.DAT. The library supports common registry formats and integrates with other forensic Python tools for automated processing.
As a read-only library, it ensures data integrity during analysis, making it suitable for court-admissible evidence handling.
How It Works
dfWinReg parses Windows Registry hive files using libregf for low-level registry structure access. It constructs a hierarchical object model replicating live system registry paths, enabling Python scripts to traverse keys, enumerate values, and extract data types like strings, integers, and binaries. Dependencies like python3-dfdatetime handle timestamps, while python3-dtfabric provides data format abstractions.
Installation
sudo apt install python3-dfwinregExamples
import dfwinregregistry = dfwinreg.registry.Registry()registry.Open('SYSTEM')for key in registry.GetKeys(): print(key.name)value = key.GetValueByName('RegisteredOwner')print(value.data)print(value.GetDataAsString())