Yet Another Registry Utility (yaru)
yaru started as a simple version of a registry viewer and has grown in capability as it matured. yaru is designed to be a portable Windows registry hive parser and viewer. Currently there are compiled versions of yaru that will run on Windows, Linux and OS-X.
A feature incorporated with the Windows version of yaru, is the ability to take a snapshot of the currently running hives and examine them. Since the Windows operating system locks down the active hives from other processes reading them, yaru can resort to raw NTFS disk reads to read any of the desired hives.
Useful features of yaru include: (a) Show allocated, but unused, key/value data space [referred to here as cell slack space], (b) Show unallocated hive space [referred to here as hive slack space], (c) Traverse the hive slack space and enumerate deleted keys, (d) Report generation capability. For common registry forensics artifacts, a number of options are available to generate reports from live hives, copies of hives or hives from unmounted partitions, (e) Logging capability that records the user selections along with data values to a separate XML file for later review, (f) Ability to export any key in the hive under evaluation to a registration (.reg) file to be used for analysis, (g) Ability to process any hive using user defined templates, (h) Simple search capability: key names, value names, date ranges, or byte patterns and (i) Capability to view registry hives from a VMWare monolithic disk (VMDK) file.
|32-bit Version||64-bit Version|
|Mac OS X:||Not Available||yaru.v.1.35.osx.tar.gz||md5/sha1|
|*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.|