Hi all,
I am putting together a knowledge base for registry keys; what and where can we find evidence. There are a number of books and postings that can be found, but in general I have not found a centralized location to reference keys that people use to discover information.
As such, if you would be so willing, please send me the keys that you routinely check, including the path and brief description of what the key holds. PLEASE, if your description is a direct quote from another author, either put it in your own words or give credit where credit is due. I hope within a months time I will be able to contribute a comprehensive directory for analyzing the registry.
Please feel free to email me privately as well.
Sounds very interesting.
I'm sorry, I don't have anything to contribute (other than what can be found in books, many of who's authors are members here so can respond on their own).
But please, include me as an interested party, I would love to see the results.
Thanks!
I just don't get it…RegRipper *is* a repository, *and* it takes the idea a step further by actually pulling data from the hive files…
I just don't get it…RegRipper *is* a repository, *and* it takes the idea a step further by actually pulling data from the hive files…
And if I recall correctly the author has offered on numerous occasions to add additional hives. wink
Hives, plugins…all of it.
I'm sold! D
Hi anti-curse,
Harlan's tool is very good, but it seems to me that you are attempting to create something that is a platform independant tool for reference - correct me if I am wrong - and thus you are going to have to parse out the relevant information from the RegRipper plugins - these are nice and clear Perl, and as Harlan says in the RR docs
Simply open any of the available plugins files in the editor of your choice to view the contents…the structure of the file is extremely simple and straightforward.
Because of their structure, you should be able to manufacture a Perl script to extract data to your Knowledge Base without too much effort.
Note well, that as the work is released under a GPL license, whilst you can use it and derivatives in any way you see fit, you _must_ acknowledge the source.
If, on the other hand, I am completely mistaken, and you are attempting to write a Windows tool, don't bother - get RR -)
Thanks, guys!
The reason I wrote RegRipper was simply because having a repository of Registry keys and values simply does me no good…there has to be that transition to doing something with it, and to be honest, Registry viewers simply don't cut it.
I've been asked to give a presentation at the SANS Forensic Summit in Oct, and I'll be presenting on Registry Analysis…and demo'ing RegRipper.
I just don't get it…RegRipper *is* a repository, *and* it takes the idea a step further by actually pulling data from the hive files…
Perhaps I should have stated my purpose a bit clearer; I am not looking for a tool to parse information out from the reg…this is a knowledge base, a tool to learn more about specific keys in the hives. It is great that we can use this to gather our information, however it does not help with peoples understanding of where to manually gather information, nor help people get a feel for the Reg in such a way that they become confident enough to provide sound testimony. It does not fly, while giving testimony, to say I used "X" product and this is what it came up with. Nay, a true Forensic professional should be able to clearly articulate not only how the script works, but what evidence it has gathered, where it was found and how it is pertinent to the case. This is truly a knowledge base, something to learn from.
I also think it is a bit presumptive to assume that all forensics folks are aware of your script, sharp responses such as the one you posted can easily be construed as..well, irritating. I might suggest a more tactful approach to recommending your script, something like "Have you tried RegRipper?" wink
anti-curse,
Have you consulted any of the registry books?
Mastering Windows 2000 Registry ISBN 0782126154
Microsoft Windows Registry Guide, 2nd Edition ISBN 0735622183
Mastering Windows XP Registry ISBN 0782129870
Windows NT Registry ISBN 1562059416
Regards,
farmerdude