Join Us!

New user - Windows ...
 
Notifications
Clear all

New user - Windows registry analysis  

  RSS
psycko
(@psycko)
New Member

Hi !
I'm a new user here interested in computer forensic,
I visit this great forum several times and I have a question
I wondered if there is a free tool with a gui that can
sort the date and time in the windows registry for analysis

I precise my idea when you export the windows registry in txt mode
date and time are associated with the keys so is there a tool that can
sort the keys by date and time of use to make a timeline of the registry ?
I'm afraid not being clear ! roll

Thx

R1

Quote
Posted : 03/01/2006 4:38 am
keydet89
(@keydet89)
Community Legend

I wrote a Registry file parser (Perl script) this past summer, that would parse through a flat Registry file (in raw, binary mode…doesn't use the MS API) and print out the information, including the LastWrite time.

Modifying the output slightly, you could dump the output in comma- or semi-colon-delimited format, and open the resulting file in Excel. From there, you could easily sort on the date/time.

However, the tool is a Perl script, and doesn't have a GUI.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 03/01/2006 5:18 pm
psycko
(@psycko)
New Member

Hi,
Thanks for your reply
That's a good idea you had to create this script
Is it possible to use a copy of it ?
I saw it while i read the previous posts about registry
but the link seem to be broken

Thanks again
R1

ReplyQuote
Posted : 03/01/2006 6:21 pm
keydet89
(@keydet89)
Community Legend

R1,

Remember, I said that the script isn't a GUI…you'd specified that you wanted a GUI.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 04/01/2006 6:33 am
psycko
(@psycko)
New Member

Ok keydet89
Understood, no GUI in your tool wink
but it might be transform in excel format to sort the date and time.

R1

psyckoo [at] hotmail . com

ReplyQuote
Posted : 04/01/2006 2:48 pm
keydet89
(@keydet89)
Community Legend

R1,

What's your email address?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 04/01/2006 4:42 pm
djvnet
(@djvnet)
New Member

Harlan, I'd like to check out your script, too. Would you email a copy?

See you next Thursday at 1230 ) I'll be there…

[email protected]

Thanks,
Dan

ReplyQuote
Posted : 04/01/2006 7:54 pm
Share: