±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27487
Visitors: 64

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Windows 8 registry Tool

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Windows 8 registry Tool

Post Posted: Mon Dec 03, 2012 7:28 pm

Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!  

Daniel09
Newbie
 
 
  

Re: Windows 8 registry Tool

Post Posted: Mon Dec 03, 2012 9:51 pm

Hi,

Who's the teacher

- Daniel09
Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

armresl
Senior Member
 
 
  

Re: Windows 8 registry Tool

Post Posted: Tue Dec 04, 2012 6:21 am

> I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8.

Hey, thanks for making a public statement like that, particularly when you HAVE NO IDEA HOW THE TOOL WORKS!

The fact is that RegRipper works great with Windows 8...but RegRipper is NOT a Registry viewer. If there's something specific that you're looking for with respect to a plugin, and you don't find it, all you have to do is ask.  

keydet89
Senior Member
 
 
  

Re: Windows 8 registry Tool

Post Posted: Tue Dec 04, 2012 10:29 am

- Daniel09
Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!


RegRipper, as I understand it, basically goes down the registry path of interest, and pulls out the data found there.

If it isn't working, it may be because that path is no longer valid in Windows 8.

Have you opened it up in other registry tools to see if what you are looking for is there?

The other problem might be the simple stuff like pointing to the wrong file, not having proper permissions, etc.

What does the log file say?

As a side note :
If you want someone to help, list your problem and give specific information.

Saying "it doesn't seem to work" says very little about the problem, nor how to solve it.

You wouldn't go to the doctor and say "I'm sick" and leave it at that, would you?

Asking a general question results in one of two things. Either the answers will be general, and probably unhelpful. Or people replying then have to take the time out of their day and list every possible cause of "it doesn't seem to work".  

twjolson
Senior Member
 
 
  

Re: Windows 8 registry Tool

Post Posted: Tue Dec 04, 2012 11:26 am

RegRipper was released as open source in 2008, with the hope that analysts would see the power of the tool, see that the value rested in the plugins, and either write their own plugins, or provide enough information/data so that someone could write one for them.

What's ended up happening is that the vast majority of those who use the tool do so blindly...they download the tool, expecting the tool to natively have everything that they want (without being able to define what that is...), and I think that this post clearly demonstrates that mindset.

RegRipper does, in fact, work on Windows 8 Registry hives. The binary structure of the Registry has not changed since it was first released. What's happened is that the paths to various keys and values of interest have changed or been removed, new paths added, and in some cases that paths have remained the same while the data itself has changed. There are plugins that not only work on Windows 8, but there are a couple of plugins for artifacts (typedurltimes and filehistory, specifically) that only exist on Windows 8.

To properly use RegRipper, you have to have some understanding of the Registry, and of the various versions of Windows. For example, XP maintains a record of user searches via the desktop in subkeys beneath the ACMru key. With Vista, desktop searches were maintained in an XML file, rather than the Registry. As of Windows 7, the desktop searches were moved to a key called "WordWheelQuery", and there are plugins for XP (acmru,pl) and Win7 (wordwheelquery.pl).

So...if you run wordwheelquery.pl against an XP system, it is easy to say...and incorrect to say...that when you see the response "key not found" that RegRipper did not work. The same would be true when acrmu.pl is run against Vista or above systems.

RegRipper is not a viewer. RegRipper is a tool that allows you to perform surgical, tactical, automated extraction and translation (and to some degree, correlation) of Registry data. Like any other tool, RegRipper is only as good as the person who uses it.  

keydet89
Senior Member
 
 
  

Re: Windows 8 registry Tool

Post Posted: Tue Dec 04, 2012 11:29 am

Just a thought, and getting back on topic...but can you provide some information regarding what you're looking for? What are the goals of your analysis? Most Registry viewers will work on Windows 8 systems, and like any other tools, all have their strengths and weaknesses, pros and cons. If you could provide some indication of what it is you're looking for, it would be easier to make recommendations.

Thanks.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1