'yaru' is a minimal version of a registry viewer compared to the many others that are freely available on the Internet. 'yaru' was designed to try to parse (on a best effort basis) the Windows registry hives and display the results in a tree view GUI. Inspired by the desire to look into the Windows registry metadata so as to better forensically analyze the registry hives, yaru was designed with a portable and extensible architecture in mind so that it could be compiled to run on various operating systems.
The registry parsing engine is written in standard C/C++ and has no dependencies on the Windows registry API functions. This means the parsing engine may have trouble on certain untested boundary conditions. The GUI portion of 'yaru' leverages off the FOX (Free Objects for X) library, which was designed to be cross platform. Currently there are compiled versions of 'yaru' that will run on Windows, Linux and MAC OS X.
A feature incorporated with the Windows version of yaru, is the ability to take a snapshot of the currently running hive(s) and examine them. Since the Windows OS locks down the active hives from other processes reading them, 'yaru' can resort to raw NTFS disk reads to read any of the desired hives. Consequently, this requires the user to run this tool with administrative privileges. While this approach adds complexity to yaru, it ensures that there is no corruption or changes to the active hive during analysis.
Recently there was some discussion and postings online about recovering deleted registry keys. A number of sources talked about specific registry artifacts that were available after a key was deleted. Taking from this empirical research, I was able to not only find deleted registry keys, but in certain cases, able to reconstruct additional context information, such as where they were deleted from.
Other rudimentary functionality includes:
- Show allocated (but unused) key value data space [referred to here as cell slack space].
- Show unallocated hive space [referred to here as hive slack space].
- Able to traverse the hive slack space and enumerate deleted keys [experimental].
- Report generation capability. For common registry forensics artifacts, a number of options are available to generate reports from live hives, copies of hives or hives from unmounted partitions.
- Optional logging capability that records the user selections along with data values to a separate XML file for later review.
- Ability to export any key in the hive under evaluation to a registration (.reg) file to be used for analysis. The format tries to mimic the version 5.00 of the Windows registry editor, with some additional metadata in commented form.
- Ability to process any hive using user defined templates. These templates allow one to customize what data is to be extracted. While these templates have a very primitive set of commands, they can be useful for repetitive tasks.
- Simple search capability: key names, value names, date ranges, or byte patterns.
- Capability to view registry hives from a VMWare monolithic disk (VMDK) file.
