Join Us!

RegRipper v2.8 avai...
 
Notifications
Clear all

RegRipper v2.8 available  

  RSS
keydet89
(@keydet89)
Community Legend

If you're a RegRipper user, you may want to take a look at this blog post

http//windowsir.blogspot.com/2013/04/regripper-updates.html

thanks.

Quote
Posted : 30/04/2013 6:55 pm
jhup
 jhup
(@jhup)
Community Legend

A continued, thank you.

ReplyQuote
Posted : 01/05/2013 10:03 pm
Chris55728
(@chris55728)
Junior Member

Thanks Harlan, appreciated.

ReplyQuote
Posted : 02/05/2013 4:21 pm
keydet89
(@keydet89)
Community Legend

Thanks, gents…I'd really appreciate your thoughts on the updates…

ReplyQuote
Posted : 02/05/2013 6:28 pm
Sonj
 Sonj
(@sonj)
New Member

System Hive - ControlSet001\Control\TimeZoneInformation
Bias and ActiveTimeBias values should be interpreted as signed integers, not unsigned

ReplyQuote
Posted : 17/05/2013 6:44 am
DennisMcr
(@dennismcr)
New Member

I think it says "password not required" when one is required on a Windows 7 Home Premium, Version 6.1, SP1 machine. This applied to 2 user accounts on the same computer.

My reasons for saying this are

Ophcrack has found a password.
There is a password hint.
There was an incorrect password logon attempt at 0749
There was a logon at 0755
The computer was seized at 0830
ForensicUserInfo also says a password is required.

Unfortunately I'm unable to VM this computer.

ReplyQuote
Posted : 17/05/2013 3:12 pm
randomaccess
(@randomaccess)
Active Member

Yeah I've found ophcrack to be reliable at telling if there was a password on an account. I vaguely remember harlan mentioning in one of his books that the "password required' doesnt relate to whether there is a password currently set, but I may be mistaken; unfortunately my copies of the books are at work so I can't check.

Unfortunately I'm unable to VM this computer.

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

ReplyQuote
Posted : 17/05/2013 6:09 pm
TuckerHST
(@tuckerhst)
Active Member

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

Thanks for the tip on VM troubleshooting. I wasn't familiar with justaskweg.com

ReplyQuote
Posted : 17/05/2013 10:16 pm
randomaccess
(@randomaccess)
Active Member

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

Thanks for the tip on VM troubleshooting. I wasn't familiar with justaskweg.com

no problem. jimmy is also very helpful if you post a comment on his blog; he'll respond quite quickly with a potential fix.
also ive heard that a new version of liveview is floating around that also might work

ReplyQuote
Posted : 18/05/2013 4:16 am
keydet89
(@keydet89)
Community Legend

I think it says "password not required" when one is required on a Windows 7 Home Premium, Version 6.1, SP1 machine. This applied to 2 user accounts on the same computer.

My reasons for saying this are

Ophcrack has found a password.
There is a password hint.
There was an incorrect password logon attempt at 0749
There was a logon at 0755
The computer was seized at 0830
ForensicUserInfo also says a password is required.

Unfortunately I'm unable to VM this computer.

If you're able to show/demo that the flag setting is incorrectly represented, please do so and I'll be more than happy to address it.

The "password not required" entry is a flag setting, and means simply that…that a password is not required
http//technet.microsoft.com/en-us/library/cc755423(v=ws.10).aspx

It does NOT mean that the account does not have a password…it means that if account policies are set on the system, with respect to password complexity, length, etc., that they do not apply to that account. That's all it means. Again, it does NOT mean that the account does not have a password.

There is a sidebar on Pg 93 of "Windows Registry Forensics" that addresses this setting.

ReplyQuote
Posted : 20/05/2013 4:32 pm
Chris55728
(@chris55728)
Junior Member

Hi Harlan,

Sorry to resurrect this post but I've been having some problems with the Ares Perl script within RegRipper.

The log file provides the following information

Thu Dec 12 131618 2013 Launching ares v.20130312
Thu Dec 12 131618 2013 Error in ares Can't call method "get_list_of_values" on an undefined value at G\Program Files (x86)\RegRipper/plugins\ares.pl line 90.

Thu Dec 12 131618 2013 1 plugins completed with errors.
Thu Dec 12 131618 2013 ares complete.

The actual output from RegRipper is as follows

Software\Ares
LastWrite Time Mon Dec 2 210221 2013 (UTC)

RegisterEmail [email protected]
Stats.LstConnect xxx xxx n nnnnnn nnnn UTC
General.Language English
PrivateMessage.AwayMessage This is an automatic away message generated by Ares program, user isn't here now.

Search Terms
I know there are a large number of search terms in the NTUSER.DAT file as I've viewed them manually.

I'm running the latest version of RegRipper and have the latest plugins.

I've never used Perl otherwise I'd try to troubleshoot the problem myself to save bothering you. I'm assuming that 'get_list_of_values' is some sort of global subroutine as there are loads of other plugins that appear to call it so I'm a bit confused as to why the Ares plugin is the only one to fail.

Any help would be greatly appreciated.

Kind regards,

Chris

ReplyQuote
Posted : 13/12/2013 4:12 pm
keydet89
(@keydet89)
Community Legend

Chris,

I'd love to help…could you email this to me at keydet89 at yahoo dot com? If you forget it, the email address is in the header of the plugin.

This really isn't the place to address this issue.

Thanks.

ReplyQuote
Posted : 13/12/2013 5:13 pm
Chris55728
(@chris55728)
Junior Member

Hi Harlan,

Email sent directly to you.

Apologies for addressing it on here.

Cheers,

Chris

ReplyQuote
Posted : 13/12/2013 6:25 pm
Share: