nt_hive2

This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:

regdump

``` forensic parser library for Windows registry hive files

Usage: regdump [OPTIONS]

Arguments: name of the file to dump

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -b, --bodyfile print as bodyfile format -I, --ignore-base-block ignore the base block (e.g. if it was encrypted by some ransomware) -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -h, --help Print help information -V, --version Print version information

```

hivescan

``` scans a registry hive file for deleted entries

Usage: hivescan [OPTIONS]

Arguments: name of the file to scan

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -b output as bodyfile format -h, --help Print help information -V, --version Print version information ```

cleanhive

``` merges logfiles into a hive file

Usage: cleanhive [OPTIONS] --output

Arguments: name of the file to dump

Options: -L, --log transaction LOG file(s). This argument can be specified one or two times -v, --verbose... More output per occurrence -q, --quiet... Less output per occurrence -O, --output name of the file to which the cleaned hive will be written -h, --help Print help information -V, --version Print version information ```

Usage example for developers

```rust use std::fs::File; use nt_hive2::*;

# let hivefile = File::open("tests/data/testhive")?; let mut hive = Hive::new(hivefile)?; let rootkey = hive.rootkey_node()?;

for sk in root_key.subkeys(&mut hive)?.iter() { println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp()); for value in sk.borrow().values() { println!("\"{}\" = {}", value.name(), value.value()); } } ```

License: GPL-3.0