nt_hive2

This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:

• use of BinRead to parse hive files
• support of displaying last written timestamps
• possibly recovery of deleted cells (might be added in the future)

regdump

``` nt_hive2 2.0.0 forensic parser library for Windows registry hive files

USAGE: regdump [OPTIONS]

ARGS: name of the file to dump

OPTIONS: -h, --help Print help information -I, --ignore-base-block ignore the base block (e.g. if it was encrypted by some ransomware) -q, --quiet Less output per occurrence -v, --verbose More output per occurrence -V, --version Print version information ```

Usage example

```rust use std::fs::File; use nt_hive2::*;

# let hivefile = File::open("tests/data/testhive")?; let mut hive = Hive::new(hivefile)?; let rootkey = hive.rootkey_node()?;

for sk in root_key.subkeys(&mut hive)?.iter() { println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp()); for value in sk.borrow().values() { println!("\"{}\" = {}", value.name(), value.value()); } } ```

License: GPL-3.0