This repository aims to simplify the process of inspecting the Registry for forensically relevant details.

This project is inspired by the RECmd Batch files project (https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples)

This project maintains a set of Rules which are YAML files following a simple format. This project implements a compiler which compiles these rules into a VQL artifact that may be consumed by Velociraptor.

The Rule file starts with the attibute Rules and contains a list of rules:

Rules:
- Author: Andrew Rathbun
  Description: Prefetch Status
  Category: System Info
  Comment: 0 = Disabled, 1 = Application Prefetching Enabled, 2 = Boot Prefetching
    Enabled, 3 = Application and Boot Prefetching Enabled
  Glob: ControlSet00*\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher
  Root: HKEY_LOCAL_MACHINE\System

• Author: This is the name of the author or the rule (optional)
• Description: The description will be shown in the generated artifact output
• Category: The category will be shown in the generated artifact output
• Comment: The comment will be shown in the generated artifact output
• Glob: The glob represents a search expression (See https://docs.velociraptor.app/vql_reference/plugin/glob/ ) the will search the registry under the Root key.
• Root: The is a root registry path. This can only be one of the following values as described below