ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows NT Registry File (REGF)" and "Libregf"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
+
{{Infobox_Software |
 +
  name = libregf |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{LGPL}} |
 +
  website = [http://libregf.sourceforge.net libregf.sourceforge.net] |
 +
}}
  
== MIME types ==
+
The '''libregf''' package contains a library and applications to read the [[Windows_NT_Registry_File_(REGF) | Windows NT Registry File (REGF)]] format.
  
== File signature ==
+
== Tools ==  
 +
The '''libregf''' package contains the following tools:
 +
* '''regfinfo''', which shows information about REGF files.
 +
* '''regfmount''', which mounts the keys and values in a REGF file as directories and files.
  
REGF has the following file signature:
+
== History ==
  
hexadecimal: 72 65 67 66
+
Libregf was created by [[Joachim Metz]] in 2009, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 
+
ASCII: regf
+
 
+
== File types ==
+
There are multiple types of REGF files:
+
* normal (data) file
+
* transaction log file
+
 
+
== Transactional Registry (TxR) ==
+
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
+
* %FILE%{%GUID%}.TM.blf
+
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
+
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
+
 
+
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
+
 
+
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
+
 
+
== Contents ==
+
 
+
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
+
  
 
== Also See ==
 
== Also See ==
 
+
* [[Windows NT Registry File (REGF)]]
 
* [[Windows Registry]]
 
* [[Windows Registry]]
  
 
== External Links ==
 
== External Links ==
  
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
+
* [http://code.google.com/p/libregf/ Project site]
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
+
 
+
[[Category:File Formats]]
+

Revision as of 14:41, 12 July 2013

libregf
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Analysis
License: LGPL
Website: libregf.sourceforge.net

The libregf package contains a library and applications to read the Windows NT Registry File (REGF) format.

Tools

The libregf package contains the following tools:

  • regfinfo, which shows information about REGF files.
  • regfmount, which mounts the keys and values in a REGF file as directories and files.

History

Libregf was created by Joachim Metz in 2009, while working for Hoffmann Investigations.

Also See

External Links