Join Us!

Ares search term de...
 
Notifications
Clear all

Ares search term decoder for FTK registry report  

  RSS
EricZimmerman
(@ericzimmerman)
Active Member

if anyone ever needs such a beast i just whipped up a converter for it.

it will take the registry report in HTML format, decode the search terms from hex to ascii, and add the decoded term next to the original.

some examples

7A6F6F ==> zoo

70746863 ==> pthc

and so on

if you have a case where you have a ton of search terms to decode this can save you a ton of time.

hit me up via email or PM if anyone is interested in it.

Quote
Posted : 13/02/2013 2:35 am
twjolson
(@twjolson)
Active Member

Not to take away from what you said.

I use Ares Decryptor from Frank Kolenbrander ([email protected]). Good guy, good progam, so I try to get it out there as much as possible. It will decode the share*.dat files to show current and historically shared files. It decodes the registry as well.

Worth 60 bucks if you do Ares periodically.

ReplyQuote
Posted : 13/02/2013 6:17 pm
Cults14
(@cults14)
Active Member

I may be displaying ignorance here - but what the heck is Ares?

Cheers

ReplyQuote
Posted : 13/02/2013 6:44 pm
ntexaminer
(@ntexaminer)
Junior Member

I may be displaying ignorance here - but what the heck is Ares?

Cheers

It's a P2P app - http//aresgalaxy.sourceforge.net/.

ReplyQuote
Posted : 13/02/2013 6:55 pm
Cults14
(@cults14)
Active Member

Thanks ntexaminer, have never come across it in my limited corporate internal work

ReplyQuote
Posted : 13/02/2013 6:57 pm
keydet89
(@keydet89)
Community Legend

if anyone ever needs such a beast i just whipped up a converter for it.

Great work, Eric.

There's an "ares.pl" plugin for RegRipper, which does just that. The plugin was originally written in May, 2011, and was updated shortly there after to add collecting additional info.

Thanks for your work.

ReplyQuote
Posted : 13/02/2013 7:51 pm
EricZimmerman
(@ericzimmerman)
Active Member

this was more of a post FTK report tool thingy vs decoding artifacts like Franks tool (which is sweet!)

an ice agent contacted me about it as he was doing it by hand. nerds dont like that so i automated it =)

i figured RegRipper had a module. i had someone asking me the other day about processing hives for ares stuff. theres the answer =) i will point him to RegRipper.

ReplyQuote
Posted : 13/02/2013 8:56 pm
keydet89
(@keydet89)
Community Legend

i figured RegRipper had a module. i had someone asking me the other day about processing hives for ares stuff. theres the answer =) i will point him to RegRipper.

One of the big misconceptions about RegRipper is that it has everything, "out of the box". It was originally intended to be a community-based and -driven tool…if there's not something that you're seeing in the output, ask.

ReplyQuote
Posted : 13/02/2013 9:02 pm
Share: