reglookup-timeline - Windows NT+ registry MTIME timeline generator


reglookup-timeline [-H] registry-file [registry-file ...]


This script is a wrapper for reglookup(1), and reads one or more registry files to produce an MTIME-sorted output. This is helpful when building timelines for forensic investigations.


reglookup-timeline accepts one or more registry file names. All of the provided registries will be parsed using reglookup(1). The -H option may be used to omit the header line.


reglookup-timeline generates a comma-separated values (CSV) compatible format to stdout. While the output of reglookup-timeline and reglookup(1) differ in the columns returned, the base format is the same.

Currently, reglookup-timeline returns three columns: MTIME, FILE, and PATH. Only rows representing registry keys are returned, since MTIMEs are not stored for values. The FILE column indicates which registry file (provided as an argument) the key came from. Finally, the PATH field contains the full registry path to the key. Records are returned sorted in ascending order based on the MTIME column.


This script is new, and as such it's interface may change significantly over the next few revisions. In particular, additional command line options will likely be added, and the output of the script may be altered in minor ways.

It is very difficult to find documentation on what precise operations cause the MTIMEs to be updated. Basic experimentation indicates that a key's stamp is updated anytime an immediate sub-value or sub-key is created, renamed, deleted, or it's value is modified. If this MTIME data is critical to an investigation, any conclusions should be validated through experimentation in a controlled lab environment.

This software should be considered unstable at this time.


