Windows Secret Expl...
 
Notifications
Clear all

Windows Secret Explorer

10 Posts
4 Users
0 Likes
368 Views
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Using dual-tool verification we've experinced some issues using Windows Secret Explorer while examing the contents of the Windows protected storage area of the registry. The issue being that it was not finding items that EnCase was able to extract. Trouble is I happen to like WSE and the reports it produced - great to copy and paste into a report.

Does anyone have any recommendations for a WSE replacement?

 
Posted : 13/03/2007 2:48 pm
(@ash368)
Posts: 17
Active Member
 

Jonathan,

You could try PIEPR from Passcape. I was in correspondence with the author late last year requesting some improvements, but as yet have not seen any modifications.

http//www.passcape.com/html/piepr.html

Allan S Hay

 
Posted : 13/03/2007 3:30 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Thanks for that Allan - I'll have a look

I was in correspondence with the author late last year requesting some improvements, but as yet have not seen any modifications.

Strange you should say that - we had the same problem with WSE; wrote some emails to the author pointing out errors, spelling mistakes, etc and no reply or acknowledgement. Didn't inspire us with confidence!

 
Posted : 13/03/2007 8:48 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

What particular items did EnCase find that WSE did not?
Did FTK find them?

 
Posted : 13/03/2007 9:07 pm
(@armresl)
Posts: 1011
Noble Member
 

That is really not odd where WSE or any other program for that matter misses particular items.

This is where people cross validating results is a must.

I have found that most people don't even attempt to run data recovery applications on an image to see what could be found. Program A might only be set up to look for 100 file signatures, while Program B might look for 20 but those 20 were not part of Program A's 100, etc.

Examiners should look for files which help exonerate as well as to prove guilt.

 
Posted : 13/03/2007 11:30 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

What particular items did EnCase find that WSE did not?
Did FTK find them?

That is really not odd where WSE or any other program for that matter misses particular items.

WSE wasn't just missing particular items, it was failing to find anything at all in some cases where as EnCase with EDS found a number of keys. It is the inconsistency which is worrying.

 
Posted : 14/03/2007 1:45 pm
(@armresl)
Posts: 1011
Noble Member
 

I would say that missing items < not finding anything but still in the same boat.

 
Posted : 14/03/2007 6:41 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

>EnCase with EDS found a number of keys

Keys? as in master/private keys?

WSE does not look for those, as far as I know.
Those keys are used for SSL, ocde signing and most importantly EFS.

 
Posted : 14/03/2007 8:46 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

>EnCase with EDS found a number of keys

Keys? as in master/private keys?

WSE does not look for those, as far as I know.
Those keys are used for SSL, ocde signing and most importantly EFS.

No, as in registry key such as HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

 
Posted : 14/03/2007 10:31 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

[quote="Jonathan] No, as in registry key such as HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider

Hmm.. WSE *should* find those - the "encryption" is crappy due to the crappy key used.

 
Posted : 15/03/2007 9:18 pm
Share: