Join Us!

The registry and Pr...
 
Notifications
Clear all

The registry and Proof of usage  

Page 2 / 2
  RSS
youcefb9
(@youcefb9)
Junior Member

Hi Harlan,
I didnt know about your tool but there is one truth I have to tell you, maybe this is shared by other readers as well.

The word "perl script" is off putting. no matter how great your product is, it relate to a reliance on a complex installation of the perl engine, setup, …etc just to dig the vlaue of one registry key. imagine a busy analyst that needed to deliver results now, there is no time to play around with scripts.

I know that you can convert this to an exe, but for marketing sake avoid the word perl and you'll be laughing (by the way I have expienced the same situation with autopsy, TSK is a great tool but autopsy sucks).

As for the open source v commercial, I am an advocate of the open source approach and I believe they have an upper hand in certain area when compared to commercial tool. it's a long subject that requires a thread on its own.

by the way, you mentioned that you tool can read raw registry file what do you mean by that? are you implementing a reverse engineering technique to read the registry content or you mean you are using the the Registry API to read the raw files?

regards

youcef

ReplyQuote
Posted : 12/11/2005 3:36 am
keydet89
(@keydet89)
Community Legend

youcefb9,

> The word "perl script" is off putting. no matter how great your product is, it
> relate to a reliance on a complex installation of the perl engine, setup

I'm sorry that you feel that way. From my perspective, there is nothing complex about the Perl installation…I even included an appendix in my book that describes how to (easily) set up Perl for use on a CD.

> just to dig the vlaue of one registry key.

My response was not intended to refer to looking for a single Registry key/value, but instead to show how powerful Perl can be for implementing or automating all sorts of analyst tasks.

> imagine a busy analyst that needed to deliver results now, there is no
> time to play around with scripts.

Imagine the power at an analysts fingertips if he has the scripts to retrieve the information he's looking for in an automated fashion, saving himself a great deal of time and effort.

> are you implementing a reverse engineering technique to read the registry
> content or you mean you are using the the Registry API to read the raw
> files?

Neither. The script(s) I mentioned open the raw Registry files in binary mode and parse through them, retrieving data. There is reverse engineering in the sense that the MS API is completely bypassed. This means that the same script can be used on Windows, Linux, Solaris, and even the Mac G5 (different endian architecture).

Harlan

ReplyQuote
Posted : 23/11/2005 4:20 pm
Page 2 / 2
Share: