GitHub - msuhanov/yarp: Yet another registry parser

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 91 Commits
cython		cython
hives_for_manual_tests		hives_for_manual_tests
hives_for_tests		hives_for_tests
records_for_tests		records_for_tests
yarp		yarp
ChangeLog		ChangeLog
Example		Example
Example.Advanced		Example.Advanced
License		License
License.Python-LLFUSE		License.Python-LLFUSE
ReadMe		ReadMe
setup.py		setup.py
test_cases.py		test_cases.py
yarp-carver		yarp-carver
yarp-memcarver		yarp-memcarver
yarp-mount		yarp-mount
yarp-print		yarp-print
yarp-timeline		yarp-timeline

Repository files navigation

yarp: yet another registry parser

1. Project goals: the library and tools

- Parse Windows registry files in a proper way (with forensics in mind).
- Expose values of all fields of underlying registry structures.
- Support for truncated registry files and registry fragments.
- Support for recovering deleted keys and values.
- Support for carving of registry hives.
- Support for transaction log files.

2. Hive version numbers supported

- Full support: 1.1-1.6.
- No support: 1.0.

In general, full support is available for hive files from installations of
Windows NT 3.1 and later versions of Windows NT (including Windows 10);
hive files from installations of pre-release versions of Windows NT 3.1 are
not supported.

3. Documentation

See the docstrings in the module.
For usage examples, see the 'Example' and 'Example.Advanced' files.

4. License

This project is made available under the terms of the GNU GPL, version 3.
See the 'License' file.

5. Installation

# pip3 install https://github.com/msuhanov/yarp/archive/1.0.33.tar.gz

6. Known issues

- Issue: the UnicodeEncodeError exception is raised when redirecting the
output of a tool (Windows only).
- Solution: execute the "set PYTHONIOENCODING=utf-8" command before running
a tool (in the same CMD session).

---
(c) Maxim Suhanov