I bought a book and have the cd "forensic analysis of windows systems" with it. The CD has useful perl scripts that i would like to use, but i'm not sure how to use them properly. For example there is "pnu.exe" and "pnu.pl", i don't know which to use, when i click "pnu.exe" a dos like screen flashes up for a second, goes and nothing happens.
what program do i need to run these scripts? where can i get it? how do i run them with the program once i have it?
Any help here appreciated. Thanks.
strobak,
Windows go to the start menu, and find the Run dialog.
enter "cmd" into it without the quotes.
(This opens the "dos box" up and keeps it there.)
navigate to where the file.exe is located, and run it by typing its name.
Maybe copy the files over to a simple directory first though for ease of finding.
c\myprogs\ or whatever
kern
Thanks kern. I thought there was some perl program i would have to install.
When i enter c\pnu.exe into the command prompt (which is where i've moved the file and dll to) i get the message "you must enter a filename", i take it that this means the file i want pnu.exe to interrogate, and as it extracts information from user assist keys i take it i need to type something in there to do with a target NTUSER.DAT file.
I'm sure i've extracted an NTUSER.DAT file from a case with ftk imager before, but when i try it now by clicking "obtain protected files" then checking "password recovery and all registry files", imager only obtains the "sam", "security", "software", "system", "default" and "userdiff" files.
Any idea why this is?
Thankyou
Strobak,
Just a thought…but it might be a good idea to (a) get the title of the book correct, and (b) contact the author. I hear that he's pretty helpful sometimes…just a thought.
H
Greetings,
Also, the book does a pretty good job of telling you
- general information on the scripts, Perl, how to compile them, cross platform issues, libraries required
- how and when to use each script to accomplish a particular task
Any chance that you only have the scripts and not the book that they came with?
'tis a good book ….
-David
I'm sure i've extracted an NTUSER.DAT file from a case with ftk imager before, but when i try it now by clicking "obtain protected files" then checking "password recovery and all registry files", imager only obtains the "sam", "security", "software", "system", "default" and "userdiff" files.
Any idea why this is?
How can i extract the NTUSER.DAT?
Also, keydet89, when i said "forensic analysis of windows systems" i was referring to the name of the dvd that comes with your book, not the title of the book itself, apologies.
Thankyou
Strobak,
I've never had any trouble extracting NTUSER.DAT, using either FTK Imager Lite, or acquiring the image, opening the image in FTK, EnCase, or even ProDiscover, and using the tool's functionality to copy the file out of the image into another directory.
Just an FYI…I've been updating the pnu.pl script based on some thoughts and input received from Didier Stevens, who's done a considerable amount of work with and research into these keys….
H
Strobak,
Just an FYI…I've been updating the pnu.pl script based on some thoughts and input received from Didier Stevens, who's done a considerable amount of work with and research into these keys….
H
Thats good news, i was really impressed when i heard what the script did from your book anyway and very pleased when i learnt that the information it extracts actually existed on a system.
As for my ignorance in the area of running perl scripts (by the way i don't have your book with me for reference atm), i've downloaded "ActivePerl", can run very simple scripts, but when i attempt to run pnu.pl i get this message
Can't locate Parse/Win32Registry.pm in @INC <@INC contains C/Perl/site/lib C/Perl/lib .> at C\Perl\pnu.pl line 11.
BEGIN failed–compilation aborted at C\Perl\pnu.pl line 11.
This is because i need to get the correct modules?
Please could you tell me exactly which modules i require, where i can get them and which directory to put them in once i have them?
Thanks very much
Thats good news, i was really impressed when i heard what the script did from your book anyway and very pleased when i learnt that the information it extracts actually existed on a system.
Pretty cool, isn't it? There's a lot of information available in the Registry, and it's just that most folks don't know it's there. This is largely due to the fact that some of the intro to forensics courses and the courses that teach the basics still rely on DOS-era instruction. There's so much available on a system, particularly when you consider alternative methods of analysis.
As for my ignorance in the area of running perl scripts (by the way i don't have your book with me for reference atm), i've downloaded "ActivePerl", can run very simple scripts, but when i attempt to run pnu.pl i get this message
Can't locate Parse/Win32Registry.pm in @INC <@INC contains C/Perl/site/lib C/Perl/lib .> at C\Perl\pnu.pl line 11.
BEGIN failed–compilation aborted at C\Perl\pnu.pl line 11.This is because i need to get the correct modules?
Please could you tell me exactly which modules i require, where i can get them and which directory to put them in once i have them?
This is actually kind of funny…I put something in a book, and then like you, many tell me via forums like this that they have my book, but they just don't have it with them at the moment, and need me to completely rewrite it for them so that they have access to the information.
Here's what you do…go here to get the module archive
http//
Then, follow what I say in this blog post (almost a year old now) on how to install the modules
http//
I hope this helps,
H
Thats great Harlan got it working, thanks for the help, sorry i was a pain )
and yeah i know your book is making me realise how much more in depth and registry focused my university course should be…