pjrinaldi / wombatregistry Goto Github PK

still a few issues where the 0x8000 and 0x2000 show up more than once, so the wrong info gets read, but closer for v0.6 and i'll continue to research and see if there is a way to parse the artifact properly. i think it has something to do with a ms shellitem.

current static linking install command doesn't wrap libregf.a into the executable, i need to modify it according to wombathasher code to actually get it built in.

Need to remove the html prior to recreating the html files.

Need to set the column justification to left aligned for most table columns.

Tags with similar names have the report count off. If tag "USB Device" and "USB Device 1", and you search for contains("USB Device"), then the count will include both tags.

need to look at other examples and see if there is a common thread to pull the file name out.

need to parse wordwheelquery, same as the other which breaks at 00 00.

The end line is too long, it isn't the width of the 1st row of text, it's the length of all the text across all the rows and it is too long.

need to fix this so the length is the correct length after the hex display, which should be a standard size based on the hex display.

Add parsing for registries from Win3.1, 95, and any other registry format not covered by libregf

add hourglass when opening hives.

Need to implement html viewer code so i can view the preview report.

Need to update status message when a non compatible file is opened, also need to add the proper gui features to the buttons as well as the tiptext to get it working.

Need to add a toolbar, i'm not big on menu bars. this will provide teh reporting/tagging buttons that i need.

need to have arrow up/down in table list select an item and throw the load content function.

Implement the pieces which were in wombatforensics and decouple the other parts so the code will work independently. I'm still leaving the registry viewer in wombatforensics, but this will enable me to use a registry viewer on linux.

Need to fix the remove tags code which needs to loop backwards so that entries aren't missed. Might not be an issue since the tag remover would remove a specific tag and not necessarily all tags. I'll have to check and see. if it needs to be fixed, i'll need to fix this in other code such as mailviewer and sqlite tool, etc.

wombatregistry release will crash when the debug version doesn't. not sure why and it's kind of annoying to have to double debug 2 versions of a program, so i'm playing around with fox toolkit and seeing how that will work rather than qt5.

loading a registry file from the command line doesn't seem to full launch everything correctly, need to look at the code and ensure nothing is missing from the open button vs the command line.

The tagged items don't stay when i switch between key's, so i need to fix this...

Need to convert the key to human readable date/time

similar to wordwheelquery for parsing.

Should implement the openhive to open in the directory it was in previously.

if(prevopendir.isEmpty())
prevdir = QDir::homePath())

once hivefilepath is set, also set prevopendir

look at selecting the 1st value by default in the table and displaying it's results

Need to implement right click menu for tagging...

For parsed value content, i should add a column to the value table and pre-populate it with the parsed content, this way you don't have to click on the value to see it's content.

Need to add the "NTUSER", "SYSTEM", "SOFTWARE", "SAM", bit from the file tree root item to the start of the status bar text line.

missing some binary content, i..e. the second row for a 2 row value.

Need to implement report export functionality and the html code to generate teh report.

I also need to provide more parsed text for more key/values...

Will use the real world work of what I've been tagging lately for user data and system info, software info, and usb device info as a guide of how I would like the information parsed and displayed.

The values are ROT13 encrypted, so i need to decrypt them before i display them

0003 - similar to wordwheelquery
000a - similar to wordwheelquery
0064 - First Install
0066 - Last Connected
0067 - Last Removal

times are 64-bit windows filetime

I either need an empty value when none exists, or I need a way to tag the folders, but I think the entry method is the better way to go.

The value utf-8 content is different between the actual displayed code and the code as it is in the html report...

have to figure out why??

I'm not exactly happy with the reporting generation output.

I think there has to be a better way to generate the layout of the report. When I gen a report and try to add it into an overall analysis results html report, it doesn't blend in well.

I may need the standalone report as one method and then a add-in report which arranges the key/values tagged differently for another report method

when switching registry hives of the same name, it isn't loading the new file, but staying with the old one.

I'd prefer it if tag and value column autoresize, so i need to implement that.

Need a way to close a selected registry file so i don't have to exit the program if i don't want to edit multiple registries at the same time.

Need to add timezone button/settings to the toolbar or maybe when you publish report...

Not properly displaying values for timezoneinformation and select keys from the \SOFTWARE\ControlSet001\Control\TimeZoneInformation and \SOFTWARE\Select

link tags work until i click to open a tagged item. then the links open the last page...

need to figure this out..

When i tag one value in the ntuser/console, and then switch keys and go back to that key, all values below it get tagged...

I need to look at the restore tag code and fix whatever issue exists, it could be a found issue or contains, etc...
will have to debug.

if you tag items, then rename the tag, it doesn't update the tag name for the already tagged items.

Currently, the code allows 2 registry files to be added at once, but eventually the display of values get's all screwed up between them. either need to implement 1 at a time, or figure out what is going wrong with multiple files and fix accordingly. If i had to guess, the issue would be the filename of the last loaded wipes out the file name of the original, so the keys/values can't be dynamically loaded anymore.

Quick idea to resolve is to store the filepath's in an array and then use that to get the right filename to load the correct key/value pairs.
have to ensure the treewidget matches with the filepath array.

Need to move report generation from the viewer to the main code, otherwise you have to preview the report before you can publish the report, which is silly. I fixed this in the mailviewer, so i can look there if i forget how to fix it.