xenial (1) reglookup-timeline.1.gz

Provided by: reglookup_0.12.0-3_amd64 bug

NAME
       reglookup-timeline - Windows NT+ registry MTIME timeline generator


SYNOPSIS
       reglookup-timeline [-H] registry-file [registry-file ...]


DESCRIPTION
       This  script  is  a  wrapper  for reglookup(1), and reads one or more registry files to produce an MTIME-
       sorted output. This is helpful when building timelines for forensic investigations.


PARAMETERS
       reglookup-timeline accepts one or more registry file names. All of the provided registries will be parsed
       using reglookup(1). The -H option may be used to omit the header line.


OUTPUT
       reglookup-timeline generates a comma-separated values (CSV) compatible format to stdout. While the output
       of reglookup-timeline and reglookup(1) differ in the columns returned, the base format is the same.

       Currently, reglookup-timeline returns three columns:  MTIME,  FILE,  and  PATH.  Only  rows  representing
       registry  keys  are  returned,  since  MTIMEs  are not stored for values. The FILE column indicates which
       registry file (provided as an argument) the key came from. Finally, the  PATH  field  contains  the  full
       registry path to the key. Records are returned sorted in ascending order based on the MTIME column.


BUGS
       This  script  is new, and as such it's interface may change significantly over the next few revisions. In
       particular, additional command line options will likely be added, and the output of  the  script  may  be
       altered in minor ways.

       It  is  very  difficult  to find documentation on what precise operations cause the MTIMEs to be updated.
       Basic experimentation indicates that a key's stamp is updated anytime an immediate sub-value  or  sub-key
       is  created,  renamed,  deleted,  or  it's  value  is  modified.  If  this  MTIME  data is critical to an
       investigation,  any  conclusions  should  be  validated  through  experimentation  in  a  controlled  lab
       environment.

       This software should be considered unstable at this time.


CREDITS
       This script was written by Timothy D. Morgan based on suggestions from Uwe Danz.

       Please see source code for a full list of copyrights.


LICENSE
       Please see the file "LICENSE" included with this software distribution.

       This  program  is  distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
       the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU  General  Public
       License version 3 for more details.


SEE ALSO
       reglookup(1) reglookup-recover(1)