I am working on an enscript to evaluate the registry typed URltimes values of a particular windows8 user. I am creating a registry class object with an entry (as opposed to a connection) . TheRegistry class help states When created with an entry, the RegistryClass will parse the Registry files. Any entry that is part of a volume can be given.”Will all of the NTUser.dat registry files be parsed? I’m interested only in the registry values of a particular user (Suspect A, Is there an extra enscript step I need to take to get the values just for Suspect A? either only mount their NTUser.dat file ? or a more user specific path in my registry command as follows?
new RegCommandClass(cmds, "TypedUrltime1", RegCommandClassREADVALUE,
RegCommandClassHKEY_USERS,"Software\Microsoft\Internet Explorer\TypedURLsTime",
"Url1", 0, 1);
RegValueClass values();
if (reg.Run(cmds, values)) {
RegValueClass v = values.Find("TypedUrltime1");
}
Any suggestions or example links would be greatly appreciated. I’m new to enscript and have gotten myself quite confused! Thanks in advancefor your time and attention…
Todd
Todd julius
Leahy Center for digital Investigations
Champlain College
As you say, when creating the RegistryClass you can provide an entry instead of a connection. Therefore all you need to do is filter out the entries before processing them. Also, you can use HKEY_ENTRY_HIVE as your root key for ntuser.dats - it means you can run it over any hive you find (including backups!).
Here's some code to do what you asked; to process only selected files for TypedURLTime entries
forall (EntryClass e in c.EntryRoot())
{
if (e.IsSelected())
{
RegistryClass reg(e);
RegValueClass regValues();
RegCommandClass cmds();
RegCommandClass command2(cmds,
"TypedUrltime1",
RegCommandClassREADVALUE,
RegCommandClassHKEY_ENTRY_HIVE,
"Software\\Microsoft\\Internet Explorer\\TypedURLsTime",
"Url1",
0,
0xffffffff);
// ... now do your processing
}
}
Note that I haven't actually tested the above to see if it works - I have no Windows 8 machine to do it on! But you get the idea. I don't think I can attach files, otherwise I would attach one I created which parses ntuser.dats for Gigatribe usernames and passwords and decodes them. Should be a good starting point. If you want to have a look, send me a PM with your email address and I'll email it to you. )
Thanks so muchChris! Using Is-selected is perfect,simple,and should have been obvious to me. should get me going in the right direction.thank you for your offer of letting me view your script which parses ntuser.dats for Gigatribe usernames…
I'll pm my email right away. I'm anxious to develop my proficiency in enscript. I look forward to learning from and applying your ideas.
Thanks again!
Todd
Todd julius
Leahy Center for digital investigation
Champlain College
Just out of curiosity, why did you opt for an EnScript over a RegRipper plugin?
Also, I thought this blog post might be of interest to you, based on what you're working on
http//
I code in EnScript and Python as we use EnCase and XRY. Although I have coded in Perl in the distant past (back when Perl-CGI was fashionable), I think it would be too personally confusing to throw in a third language.
Chris,
From the very beginning, if anyone has wanted/needed a plugin, all I've asked for is a concise description of what you're looking for, and a sample hive. In cases where these have been provided, turn around has often been within the hour, and always with complete discretion.
Harlan,
Thanks for the offer, but it's always worthwhile having in-house expertise. Also, some people prefer GUIs! )
Chris
Chris,
Harlan,
Thanks for the offer, but it's always worthwhile having in-house expertise. Also, some people prefer GUIs! )
I don't follow the context of that you're saying here, but okay.
It seems I have been labouring under the misapprehension that reg ripper was a command line tool.
Well, you learn something new every day. And now I know what I'm going to be doing this afternoon. )
Chris,
RegRipper is a set of tools, that consist of a GUI, as well as a CLI component.
The use of RegRipper is outlined in the book, "Windows Registry Forensics", as well as on my blog.
Thanks.