Forums
Main Category
General (Technical,...
Offline Regisry Par...
 
Notifications
Clear all

Offline Regisry Parser posted

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 20 years ago
5 Posts
2 Users
0 Reactions
619 Views
RSS
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 01/09/2005 2:44 am  

All,

I've posted my offline Registry parser. See my blog entry

http//windowsir.blogspot.com/2005/08/offline-regisry-parser.html

If you do download and try this script, I'd appreciate comment/feedback.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com


   
Quote
andy1500mac
 andy1500mac
(@andy1500mac)
Trusted Member
Joined: 21 years ago
Posts: 79
03/09/2005 7:57 am  

Hi Harlan,

Tried it on a couple of *.bak files (system, software) and it worked fine. As you said its best if you know before hand what you are looking for and then search/grep the file.

It’s a little easier on the eyes opening in a spreadsheet although a few of the entries are slightly out of whack. I am not much of a programmer limited to batches and simple scripts so forgive my ignorance when I say that I received a

“wide character in print at c\perl\reg.pl line 133” as standard output while running the parser and don’t know if it has any bearing on the outcome…

Andrew-


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 04/09/2005 4:35 pm  

Andy,

Thanks for your comments.

It’s a little easier on the eyes opening in a spreadsheet…

Well, it is Perl and open-source, so that such things can be easily modified.

…although a few of the entries are slightly out of whack.

I'm not sure what that means. Are they incorrect, do they "look funny", or what?

“wide character in print at c\perl\reg.pl line 133”

Interesting. What kind of system where these files from? NT, 2K, XP, or 2K3?

Again, thanks for your comments.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com


   
ReplyQuote
andy1500mac
 andy1500mac
(@andy1500mac)
Trusted Member
Joined: 21 years ago
Posts: 79
05/09/2005 4:50 am  

Harlan,

The file was taken from an XP pro machine (system.bak).

Sorry about the "out of whack"……I think the ones that didn't look "right" as I scrolled quickly through the file where just ASCII from some of the REG_Binary entries, and therefore normal output..?

Andrew-


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
Topic starter 05/09/2005 4:52 pm  

As far as "wide character", I'll have to take a look…maybe run the program against some system.bak files I may have available.

Yes, those "whacked out" values are the REG_BINARY data types, uninterpretted. I've rewritten the code for that script, to make it cleaner and easier to manage/debug, and included a translation routine for binary data types.

The next step is to use the newer code as a basis for a script that searches for specific values. For example, the user can input "HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile", and the script will (a) determine which offline ControlSet to query, (b) locate the value, and © return the data.

Thanks for your input.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: