Developed by Arnab Das
Master’s Student, Cyber Forensics
National Forensic Sciences University
Master’s Student, Cyber Forensics
National Forensic Sciences University
RegEx Acquisition Engine is a forensic-grade PowerShell collection tool designed for extracting critical Windows artifacts safely and systematically.
It is engineered for:
- 🔒 Live-system forensics
- 🛠 WinPE / bootable forensic media
- 🚫 Restricted Windows versions (VSS blocked)
- 🔍 Evidence preservation with SHA256 hashing
The tool creates a fully structured, integrity-verified evidence package ready for analysis using RegEx-Analysis.
- SYSTEM / SAM / SECURITY / SOFTWARE / DEFAULT hives
- User NTUSER.DAT + UsrClass.dat (best-effort live copy)
- Event logs: System, Application, Security
- USBSTOR + USB Enum metadata
- Prefetch execution traces
- Amcache program execution history
- SHA256 hashing for every artifact
- Full
manifest.jsonwith metadata regex_log.txtcontaining event logsoperation_summary.txtfor documentation
- Auto-detection of VSS capability
- Fallback mode using
reg save,wevtutil, file copy - Zero writes to system drive
- Clean artifact staging on external media
Required for registry + log extraction.
PowerShell -NoProfile -ExecutionPolicy Bypass -File .\RegEx_Acquire.ps1
See the /docs folder:
- features.md — All features in detail
- artifacts_collected.md — Artifact meaning & forensic value
- usage_examples.md — Terminal usage screenshots
- limitations.md — Known limitations of live acquisition
A sample of the generated evidence structure produced by RegEx Acquisition Engine:
Looking for the report generator and analysis engine?
The analysis engine converts the collected evidence into a full neon-themed interactive HTML forensic report.