I've been trying to het a copy of that tool, but couldn't find it anywhere. It's author is Peter Davies, and it's mentioned in this paper
why not use RegRipper???
I use it, but also want to have QuickCheck.
I use regripper on all of my cases. One of the first things I do is to dump the registry files and have a quick look through the regripper generated reports.
Its something to be getting on with whilst your waiting for Encase or FTK to run scripts etc.
I use it, but also want to have QuickCheck.
Have you contacted the author of the paper?
I use regripper on all of my cases. One of the first things I do is to dump the registry files and have a quick look through the regripper generated reports.
Its something to be getting on with whilst your waiting for Encase or FTK to run scripts etc.
That's exactly how RegRipper was intended to be used.
Has anyone written their own plugins?
Has anyone found anything in the current plugins that is either missing, or could be displayed better?
Have you included the keys mentioned on GuidanceSoft paper "Registry Quick Find Chart” by AccessData ?
I use regripper on all of my cases. One of the first things I do is to dump the registry files and have a quick look through the regripper generated reports.
Its something to be getting on with whilst your waiting for Encase or FTK to run scripts etc.
Do you have AD's Registry Viewer? I was wondering why use regripper if you have the Viewer Tool? I have never used it so I was wondering what benefit regripper would have over it.. Thanks
Rob
Nevermind… I am playing with regripper as we speak (or as I type as the case may be)… Pretty cool stuff.. I am going to validate it and if it works I will introduce it to my Computer Crime Taskforce guys.. 'Cause you can't overlook the registry eh?
How does she do with Vista NTUSER files?
Thanks !!
> How does she do with Vista NTUSER files?
I'm not sure I understand the question, really. There's no difference in the core, underlying structure (cells, nodes, etc.) of the NTUSER.DAT file on Vista from that of XP or other versions of Windows. Some hives within Vista have different keys, and as you're well aware already, there are Vista-specific plugins to RR.
If there's something specific that you're looking for in an NTUSER.DAT file from a Vista system that's not already covered by a plugin, all I ask is a description of what you're looking for and a sample hive file for testing, and I can usually turn around a plugin in fairly short order.