Registry Analysis using Registry Explorer, ShellBags Explorer, and RegRipper

🎯 General Introduction

When dealing with a suspect device in a digital forensic context, we often extract registry hive files to analyze user and system behavior. Since we don’t work directly on the live system, we cannot use Regedit.

⚠️ Why can't we use Regedit?

Regedit only reads from the current system.
It cannot be pointed to read standalone .dat or .hiv files.
Therefore, we must use tools that support analyzing Offline Registry Files.

🧰 Required Tools

To address this, we use specialized tools to analyze registry files extracted from the target system. The main tools include:

🛠️ Tool	📌 Function	🧾 Supported Files	💡 Notable Features
Registry Explorer	Manual Analysis	All Hive Files	Supports deleted keys, transaction logs, read-only
ShellBags Explorer	User activity analysis	`NTUSER.DAT`, `USRCLASS.DAT`	Extracts folder and device history
RegRipper	Automated analysis reports	All files	Works via CLI/GUI, uses built-in plugins

📂 First: Registry Explorer

✅ Introduction

Developed by Eric Zimmerman, a SANS instructor with significant contributions to forensic tools.
Offers an interface similar to Regedit but supports independent registry files.

🔍 Additional Features:

Displays deleted keys and values
Advanced search support
Displays timestamp (Last Written Time) for each key
Read-only support (ideal for forensics)

📥 Download Tool

Can be downloaded from the SANS site or Eric Zimmerman’s Tool List

💻 Use Cases:

When you need to browse registry keys manually.
Extracting data such as:
Network information
Installed software
Startup settings
Last Write Time

🛠️ Usage Steps:

Download the tool—it comes as a ZIP file.
After extraction, ensure you have .NET Framework 4.0 installed.
The interface resembles Regedit, but you can manually select an offline registry hive file.

🧪 Registry File Analysis Steps

Dirty Hive Issue:

When opening files like NTUSER.DAT or SOFTWARE, a message may appear:

"The hive appears to be dirty… transaction logs missing."

Solution via FTK Imager:

Open FTK Imager
Navigate to NTUSER.DAT

Extract the hive along with .LOG1, .LOG2, and .BLF files

Export them into a working directory:

✅ Result:

Dirty Hive issue resolved.
Tool accurately displays all keys and values.
You can search the registry for any key.

📌 Benefit:

Once loaded successfully, you can view all keys and values as if inside Regedit and easily search.
Go back to Registry Explorer and reload the hive with logs.

- **Associated deleted records**  
  Deleted records still linked to a known key — here, total is **0**.

- **Unassociated deleted records**  
  Deleted records not linked to any active key — total is also **0**.

- **Unassociated deleted values**  
  Deleted values not associated with any key.

Manual searching can be tedious, so we move on to complementary tools.

🧳 Second: ShellBags Explorer

✅ What are ShellBags?

ShellBags are keys inside NTUSER.DAT and USRCLASS.DAT used to track:

Folders browsed by the user
View mode (Details/List/Icons)
Last viewed timestamps
Connected device names
MRU (Most Recently Used) entries

🛠️ Usage Steps:

Download ShellBags Explorer from Eric Zimmerman’s site.
Requires .NET Framework.
When launched, you can:
Analyze live registry (your current system)
Or select an offline hive such as NTUSER.DAT or USRCLASS.DAT

⚠️ Note:

If you open files like SAM or SYSTEM, you will see an error such as:

"No MRU Bags found" or "Not a valid ShellBag Hive"

Reason: ShellBags Explorer is specifically designed to analyze ShellBag-related registry keys, which exist only in NTUSER.DAT, USRCLASS.DAT.
Files like: SAM, SYSTEM, SECURITY contain completely different info such as user data, encrypted passwords, system settings, etc. They don’t include Shell\BagMRU or Shell\Bags keys.
Opening an unsupported file like SAM or SYSTEM leads the tool to not find expected keys, hence the error message.

📁 Notes:

Only works with: NTUSER.DAT, USRCLASS.DAT
Opening SAM or SYSTEM shows no ShellBags data.

💡 Example:

Opened NTUSER.DAT of user “Ahmed”.
Dirty files were detected and handled using log files.
Data shown includes:
Connected devices like IronMan, BumbleBee
Folders browsed such as SANS, iLearn Security, Work
Search keywords like forensics, Digital Forensics for Linux, etc.

Image taken from course lab project because nothing useful appeared when I tested this part on my own system.

🔍 Third: RegRipper

✅ Introduction

RegRipper is a powerful tool that performs automated analysis of registry hives using pre-built plugins.\ It works on both Windows and Linux and comes in two versions:

Command Line => rip.exe
GUI (Graphical Interface) => rr.exe

📥 Download Tool

Available on GitHub
Download as ZIP and extract.

🛠️ Usage Steps:

GUI Version:

Launch the tool and select the hive to analyze (e.g. SYSTEM, NTUSER.DAT)
Choose the report output location (e.g. Reports folder)
Click "Rip it" to begin analysis

CLI Version:

Run rip.exe
Specify the desired plugin and hive file:

rip.exe -r C:\Hive\NTUSER.DAT -f userassist > report.txt

🧾 Example Output:

System info:
Boot settings
Backup/Restore info
List of programs launched
System usage timeline

🧾 Output Format:

.txt reports with detailed analysis based on plugins
Easy to read via Notepad++ or grep (Linux)

📸 Example report format:

💡 Example Plugins:

userassist → Opened programs
services → Active system services
networklist → Connected networks
appcompatcache → Recently executed applications

🧠 Important Tips During Analysis

Tip	Explanation
🔁 Extract hives with all associated files	Especially `.LOG1`, `.LOG2`, `.BLF` to avoid Dirty Hive issues
🧪 Never work on original files	Always work on a copy of the files
🧰 Use tools together	Use Registry Explorer for manual search, ShellBags for user history, RegRipper for quick reports
🕵️ Search in multiple places	Sometimes data is in `USRCLASS.DAT` not just `NTUSER.DAT`
📄 Document everything	Include notes, timestamps, and findings in separate logs for review

✅ Summary

Tool	Main Function	File Types	Primary Uses
Registry Explorer	Manual browsing and full analysis	All hives	Key/value analysis, deleted data recovery
ShellBags Explorer	User activity tracking	NTUSER & USRCLASS	Device, folder, and timestamp tracing
RegRipper	Automated detailed reports	All hives	Comprehensive analysis via multiple plugins