±Your Account
Membership:
New Today: 0
New Yesterday: 3
Overall: 24196
Visitors: 53±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3, 4 Next
Over the lists/sites that I've posted this question to, you're the first one to mention RegRipper.
Have you had any issues with regards to validation of either tool, or between the two?
That's great for verification. How are you incorporating those values into your analysis?
Thanks.
Shellbag analysis
Shellbag analysis
Posted: Thu Jan 10, 2013 8:18 am
Is anyone including shellbag artifacts in their analysis of Windows systems?
If so, what tool(s) are you using?
How are you analyzing/including/interpreting the DOSDate time stamps?
Thanks.
If so, what tool(s) are you using?
How are you analyzing/including/interpreting the DOSDate time stamps?
Thanks.
-
keydet89 - Senior Member
Re: Shellbag analysis
Posted: Thu Jan 10, 2013 10:31 am
Yes.
Regripper and TZWorks sbag.
Using the steps under Timestamp Verification on TZWorks site.
Regripper and TZWorks sbag.
Using the steps under Timestamp Verification on TZWorks site.
-
BitHead - Senior Member
Re: Shellbag analysis
Posted: Thu Jan 10, 2013 11:10 am
- BitHead
Regripper and TZWorks sbag.
Over the lists/sites that I've posted this question to, you're the first one to mention RegRipper.
Have you had any issues with regards to validation of either tool, or between the two?
- BitHead
Using the steps under Timestamp Verification on TZWorks site.
That's great for verification. How are you incorporating those values into your analysis?
Thanks.
-
keydet89 - Senior Member
Re: Shellbag analysis
Posted: Mon Jan 14, 2013 4:10 am
I'm using following tools:
- TZWorks sbag
- RegRipper
- MiTeC Windows Registry Analyzer v1.5.2 (ShellBags + StreamMRUs)
- Nir Sorfer's ShellBagsView
and excellent EnPack, 42 LLC Bag Parser, by Yogesh Khatri (ShellBags + StreamMRUs)
My tools of choice are TZWorks sbag + 42LLC Bag Parser. I do like 42LLC Bag Parser for its ability to parse all relevant registry hive files in a single pass (located in all users' profiles, System Restore and so on), very detailed report and nice, Explorer-like form of presenting results (you can also export the results into Excel file for further processing, e.g. to compare and cross-verify with sbag results or to follow manual verification according to TZWorks).
Greg
- TZWorks sbag
- RegRipper
- MiTeC Windows Registry Analyzer v1.5.2 (ShellBags + StreamMRUs)
- Nir Sorfer's ShellBagsView
and excellent EnPack, 42 LLC Bag Parser, by Yogesh Khatri (ShellBags + StreamMRUs)
My tools of choice are TZWorks sbag + 42LLC Bag Parser. I do like 42LLC Bag Parser for its ability to parse all relevant registry hive files in a single pass (located in all users' profiles, System Restore and so on), very detailed report and nice, Explorer-like form of presenting results (you can also export the results into Excel file for further processing, e.g. to compare and cross-verify with sbag results or to follow manual verification according to TZWorks).
Greg
-
gmkk - Member
Re: Shellbag analysis
Posted: Mon Jan 14, 2013 7:01 am
Greg,
Thanks.
How are you analyzing/including/interpreting the DOSDate time stamps?
Also, do you have any thoughts on the output of TZWorks sbag.exe vs. the RegRipper plugin?
Thanks.
Thanks.
How are you analyzing/including/interpreting the DOSDate time stamps?
Also, do you have any thoughts on the output of TZWorks sbag.exe vs. the RegRipper plugin?
Thanks.
-
keydet89 - Senior Member
Re: Shellbag analysis
Posted: Tue Jan 15, 2013 6:38 am
I'm using Mitec, TZWorks but not RR so much. TZ is my tool of the moment. I've been a shellbag addict since 2005 - never really understood why everyone doesn't do it on every job.
I like the CSV output from TZWorks.
I hadn't heard of the ENpack that Greg mentions but I'll be hunting it down.
I like the CSV output from TZWorks.
I hadn't heard of the ENpack that Greg mentions but I'll be hunting it down.
-
BenUK - Member
Re: Shellbag analysis
Posted: Tue Jan 15, 2013 7:02 am
Ben,
Thanks.
How are you analyzing/including/interpreting the DOSDate time stamps?
Also, what have you done to validate the TZWorks tool?
Thanks.
How are you analyzing/including/interpreting the DOSDate time stamps?
Also, what have you done to validate the TZWorks tool?
-
keydet89 - Senior Member