Computer Forensics, Malware Analysis & Digital Investigations: EnScript to find and parse "nk" registry keys

There has been a lot of postings lately in the forensic community about the value and information that can be gleaned from an orphaned 'nk' registry record that may exist in unallocated space. The 'nk' record holds the name of a registry key, i.e. the name of the folder when viewed in regedit or other registry viewing tools. It does not contain the data value itself.

Here is an example:

The "MountedDevices" item on the left side is the key (aka 'nk' record). The data values inside that key (folder) are 'vk' records (blue highlighted items on the right) and are not parsed by this EnScript.

This EnScript can be used to search any selected (blue checked) file in EnCase. Commonly that would be Unallocated, pagefile and active registry hives to find deleted keys. When you run the EnScript, you will be presented with date range fields. The 'nk' records (keys) are what have the last modified time stamp, so if you are looking for activity during a specific date range you can narrow or broaden the hits that are found by entering whatever dates/times you want in these fields.

Once you enter dates & times, press "OK" and all the selected files will be searched for a 'nk' record. Once found, the EnScript will try and validate it as a valid key, then bookmark it. It will also indicate if it is a deleted key as opposed to a valid "in use" key. It is common to find "in use" keys in unallocated and the pagefile as they are moved around and swapped out of memory, but that does not mean they are still "in-use".

The EnScript will create a bookmark folder with the timestamp of the current time that you ran the EnScript, along with the range you chose:

The comment field will have the date in a numerical UNIX format so you can accurately sort this column by date. After the date will be the name of the key found and then if it is deleted.

The EnScript will also print some basic info to the console tab:

Case 1\C\Unallocated Clusters

-------------------------------------------------------------------------------

07/14/09 09:12:04AM win32

07/14/09 09:12:04AM FLAGS

07/14/09 09:12:04AM HELPDIR

07/14/09 09:11:24AM notepad.exe

07/14/09 09:11:24AM command

09/12/09 06:24:08PM OpenWithList

07/14/09 09:11:24AM notepad.exe

Timestamp out of range, skipping....

07/14/09 09:11:24AM .log

07/14/09 09:11:24AM .scp

07/14/09 09:11:24AM ShellNew

07/14/09 09:11:24AM inifile

07/14/09 09:11:24AM DefaultIcon

07/14/09 09:11:24AM shell

07/14/09 09:11:24AM open

Hits that are outside the range you specified will not be bookmarked and you will see "Timestamp out of range, skipping...." in the console when a record is skipped.

Download Here