PARSNIP: Parsing Registry Hives from Snip-Snapped Shadow Copies with Timelining and Timsort

The processing of a Windows system's Registry data into a readable format – parsing – is an essential step in conducting forensic investigations. It allows for the analysis of a system's information and configurations at a point in time according to its snapshot, which is called a shadow copy. Upon parsing, an analyst may proceed to attempt to detect Indicators of Compromise (IOC) or malware through altered, inserted, or deleted entries containing this type of information – values – which can be found within their respective containers called keys. On the other hand, keys are stored as groups – hives – which compose the Registry. This journal discusses the Registry and its evidence, and evaluated a Python-based hive parsing tool called PARSNIP which provides a timeline of the hives throughout its times of being parsed, and the capacity to sort the parsed data using Timsort. Notably, it also timelines the hive changes for any inserted or deleted values. The evaluation of the tool will focus on its features and capacity in enhancing the investigation process, for a timely and detailed analysis. A recommended usage was then derived based on this and the related literatures.