Thomas,
I'm not sure I see the point of your posting…it's common knowledge that RegRipper uses ParseWin32Registry, but James's (excellent) scripts also do not do what RegRipper does. Even if it did, what would be the point of running his scripts…if they rely on the same foundation, then how would they be used to verify RegRipper? At that point, the only real difference is the logic.
Can you provide some insight as to where you're headed with the information referring to James's work?
Thanks.
First, I will agree that there isn't a tool out there that does exactly what RegRipper does. If there were 2 tools out there that did the same thing, then I would say that the author of the 2nd tool wasted their time unfortunately.
That being said, there is a need for one to test, experiment and verify that the results produced by a tool, such as RegRipper, are correct and accurate. Taking RegRipper as an example, one can use RegistryViewer to make sure that all of the subkeys under USBStor were output by RegRipper and that the information RegRipper reported as "S/N" was output correctly. Were all the values under MountedDevices reported? RegEdit can be used to export the last written dates for the keys.
The question with using other tools to verify the output from RegRipper is do all of these different tools at the end of the day use the same Microsoft DLLs and do things like make calls to RegQueryValue and other similar MS registry APIs. If so, then one is only testing the implementation of those DLL calls. My point is that when comparing one tool against another, one has to understand in what way does the tool interact with the data. As an example, Paraben's E-mail Examiner (and I believe Encase) does not use MAPI to parse PSTs. Wave Software's Trident does. The results from those tools might be a good comparison as they attack the data from completely different angles.
One also should be careful in comparing tools against one another as I've seen more than one tool make the same mistake which was only found by attacking the data with 3, 4 or 5 different tools.
Greg,
The question with using other tools to verify the output from RegRipper is do all of these different tools at the end of the day use the same Microsoft DLLs and do things like make calls to RegQueryValue and other similar MS registry APIs. If so, then one is only testing the implementation of those DLL calls. My point is that when comparing one tool against another, one has to understand in what way does the tool interact with the data. As an example, Paraben's E-mail Examiner (and I believe Encase) does not use MAPI to parse PSTs. Wave Software's Trident does. The results from those tools might be a good comparison as they attack the data from completely different angles.
Excellent point, and one that I've made before, as well.
BTW, RegRipper doesn't use the MS APIs at all…
Greg,
BTW, RegRipper doesn't use the MS APIs at all…
So what do the Perl binaries use? I'm curious.
But I think that this is a good thing and allows for one to use tools that do use the MS APIs to compare and/or contrast the results output by RegRipper.
So what do the Perl binaries use? I'm curious.
The Perl binaries themselves use MS APIs, but what I was getting at is that neither RegRipper nor the module that its based on (James McFarlane's ParseWin32Registry) use any of the Reg* APIs or the MS Registry APIs. James's module is similar to my own previous tools that parse the hive file on a binary level, using APIs such as sysseek() and sysread().
I hope that's a bit more clear.