Skip to content

arnab-glitch/Portable-Registry-Acquisition-Tool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation


🔍 RegEx Acquisition Engine (v1.0)

PowerShell-Based Windows Forensic Artifact Collector

Developed by Arnab Das
Master’s Student, Cyber Forensics
National Forensic Sciences University


📌 Overview

RegEx Acquisition Engine is a forensic-grade PowerShell collection tool designed for extracting critical Windows artifacts safely and systematically.
It is engineered for:

  • 🔒 Live-system forensics
  • 🛠 WinPE / bootable forensic media
  • 🚫 Restricted Windows versions (VSS blocked)
  • 🔍 Evidence preservation with SHA256 hashing

The tool creates a fully structured, integrity-verified evidence package ready for analysis using RegEx-Analysis.


Key Features

🧩 1. Forensic Artifact Extraction

  • SYSTEM / SAM / SECURITY / SOFTWARE / DEFAULT hives
  • User NTUSER.DAT + UsrClass.dat (best-effort live copy)
  • Event logs: System, Application, Security
  • USBSTOR + USB Enum metadata
  • Prefetch execution traces
  • Amcache program execution history

🔐 2. Integrity & Chain-of-Custody

  • SHA256 hashing for every artifact
  • Full manifest.json with metadata
  • regex_log.txt containing event logs
  • operation_summary.txt for documentation

⚙️ 3. Engine Behavior

  • Auto-detection of VSS capability
  • Fallback mode using reg save, wevtutil, file copy
  • Zero writes to system drive
  • Clean artifact staging on external media

🚀 How to Use

1️⃣ Open PowerShell as Administrator

Required for registry + log extraction.

2️⃣ Run the script

PowerShell -NoProfile -ExecutionPolicy Bypass -File .\RegEx_Acquire.ps1

3️⃣ Documentation

See the /docs folder:

  • features.md — All features in detail
  • artifacts_collected.md — Artifact meaning & forensic value
  • usage_examples.md — Terminal usage screenshots
  • limitations.md — Known limitations of live acquisition

4️⃣ Screenshot

A sample of the generated evidence structure produced by RegEx Acquisition Engine:


🔗 Related Project

Looking for the report generator and analysis engine?

Related Tool

The analysis engine converts the collected evidence into a full neon-themed interactive HTML forensic report.

About

RegEx is a portable Windows Registry Acquisition tool designed for forensic investigators. It runs directly from a USB device, requires no installation, and extracts targeted registry hives using predefined acquisition profiles. Built for speed, reliability, and zero-footprint operation.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors