New user - Windows ...
 
Notifications
Clear all

New user - Windows registry analysis

7 Posts
3 Users
0 Likes
384 Views
(@psycko)
Posts: 16
Active Member
Topic starter
 

Hi !
I'm a new user here interested in computer forensic,
I visit this great forum several times and I have a question
I wondered if there is a free tool with a gui that can
sort the date and time in the windows registry for analysis

I precise my idea when you export the windows registry in txt mode
date and time are associated with the keys so is there a tool that can
sort the keys by date and time of use to make a timeline of the registry ?
I'm afraid not being clear ! roll

Thx

R1

 
Posted : 03/01/2006 4:38 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I wrote a Registry file parser (Perl script) this past summer, that would parse through a flat Registry file (in raw, binary mode…doesn't use the MS API) and print out the information, including the LastWrite time.

Modifying the output slightly, you could dump the output in comma- or semi-colon-delimited format, and open the resulting file in Excel. From there, you could easily sort on the date/time.

However, the tool is a Perl script, and doesn't have a GUI.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 03/01/2006 5:18 pm
(@psycko)
Posts: 16
Active Member
Topic starter
 

Hi,
Thanks for your reply
That's a good idea you had to create this script
Is it possible to use a copy of it ?
I saw it while i read the previous posts about registry
but the link seem to be broken

Thanks again
R1

 
Posted : 03/01/2006 6:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

R1,

Remember, I said that the script isn't a GUI…you'd specified that you wanted a GUI.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 04/01/2006 6:33 am
(@psycko)
Posts: 16
Active Member
Topic starter
 

Ok keydet89
Understood, no GUI in your tool wink
but it might be transform in excel format to sort the date and time.

R1

psyckoo [at] hotmail . com

 
Posted : 04/01/2006 2:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

R1,

What's your email address?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 04/01/2006 4:42 pm
djvnet
(@djvnet)
Posts: 4
New Member
 

Harlan, I'd like to check out your script, too. Would you email a copy?

See you next Thursday at 1230 ) I'll be there…

djvnet@yahoo.com

Thanks,
Dan

 
Posted : 04/01/2006 7:54 pm
Share: