Harlan's RegRipper is an outstanding tool that I wonder why no one created before Harlan did. Examiners that do not use it, simply have not heard about it which I think wont last long.
There are several resources to learn about the registry such as the books pointed out by farmerdude as well as other documents, (Accessdata's Registry Quick Find Chart) and another xls from…Harlan). There are other write ups on registry forensics online. I think that which as has been written already pretty much details the low hanging fruit in the registry and the more details areas from which to recover good evidence.
I'm giving a registry forensics presentation this year in Aug and will almost exclusively be using RegRipper. I'm certain that any examiner in the room that has not heard about RegRipper, will be going home to download it immediately after the class…
I just got word today that I'm approved for the SANS Forensic Summit in Las Vegas, in Oct. I'm going to be presenting on Registry Analysis, and demo'ing RegRipper.
I hope to have some new goodies added to it by then.
My whole point is that while I agree that RegRipper isn't technically a repository, per se, it is a good resource. The whole thing about Registry analysis is that it isn't _just_ about a key or value…the examiner has to be aware of what conditions or actions create or modify an entry so that the data can be interpreted correctly. Also, one may need to correlate multiple keys and values to get a true picture of what's going on.
As a resource, I would suggest ch 4 of "Windows Forensic Analysis".
Greetings,
I, for one, am pleased to see someone developing an alternative resource for information about the Registry that doesn't require buying a book and keeping it with you. Perhaps this knowledge base will combine information from a variety of sources in one spot? Perhaps it will be updated regularly, making it more current than a hard copy resource? Perhaps it will not require downloading and reading code. Perhaps ….
Hey, he's offering to develop a resource that may be quite helpful - let's encourage and assist him, hmm?
-David
Think a very good source for registry keys is Access Data's "Registry Quick Find Chart" to find at
http//
After reading this forum for a year I must relate, anti-curse, Harlan (who I have not met) can seem to be a bit on the acerbic side. I attribute this to his just speaking here as in the pub with a mess of mates. Everyone here knows what a massive amount of time his polished pearls have saved us. (Clink of glasses sound) Have a pint. Chill.
Anti-curse,
I'll contribute…
I wrote a paper not too long ago that included some registry keys of interest. It's not by any means comprehensive, but it may aid in the development of your database.
Let me know if I can be of any assistance.
Thanks,
Derrick