The registry and Pr...
 
Notifications
Clear all

The registry and Proof of usage

17 Posts
7 Users
0 Likes
1,177 Views
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Bottom of the site has a tool that seems to do what I mentioned above….I'll try @ home.

Andrew-

 
Posted : 09/11/2005 6:24 pm
(@ash368)
Posts: 17
Active Member
 

When I was getting WRA developed, one of the key areas that required attention was the ability to decrypt the User Assist Keys. Although WRA was sold to Paraben in May, I still have the free version available.

The links to WRA and WRA Guidance in 'Downloads' are not active. If anyone wants a copy of WRA or WRA Guidance, send an email to

ash368@btinternet.com

 
Posted : 10/11/2005 3:03 am
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

Hi Ash368,
Indeed WRA was the tool I've used to decrypt the UserAssist key. the least I can say about it is "superb".

The version I got is one of the oldest freeware version. would you please send me the latest freeware you have. send it to youcefb9@hotmail.com

 
Posted : 10/11/2005 8:57 pm
mark777
(@mark777)
Posts: 101
Estimable Member
 

Ash368

Would appreciate a copy if you could. Tried emailing you but Outlook says does not recognise e mail address you give.

My e mail is mark777@mail2mark.com

Many Thanks

 
Posted : 11/11/2005 5:22 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Wow, this is pretty funny…I posted a link to a Perl script here not long ago that does exactly what you're asking, including "decrypting" the UserAssist keys.

The Perl script is run against the raw Registry file (in this case, NTUSER.DAT), and can be run on Linux, Windows, or even a Mac G5. The script can be "compiled" with Perl2Exe (I've done it) or PAR.

I still find it interesting how there's more of a reliance in this forum on closed source and commercial tools than there is on open source freeware, particularly those that (a) require a tiny bit more work than simply downloading an executable and (b) actually help you understand what's going on "under the hood".

Harlan

 
Posted : 11/11/2005 6:53 pm
(@youcefb9)
Posts: 38
Eminent Member
Topic starter
 

Hi Harlan,
I didnt know about your tool but there is one truth I have to tell you, maybe this is shared by other readers as well.

The word "perl script" is off putting. no matter how great your product is, it relate to a reliance on a complex installation of the perl engine, setup, …etc just to dig the vlaue of one registry key. imagine a busy analyst that needed to deliver results now, there is no time to play around with scripts.

I know that you can convert this to an exe, but for marketing sake avoid the word perl and you'll be laughing (by the way I have expienced the same situation with autopsy, TSK is a great tool but autopsy sucks).

As for the open source v commercial, I am an advocate of the open source approach and I believe they have an upper hand in certain area when compared to commercial tool. it's a long subject that requires a thread on its own.

by the way, you mentioned that you tool can read raw registry file what do you mean by that? are you implementing a reverse engineering technique to read the registry content or you mean you are using the the Registry API to read the raw files?

regards

youcef

 
Posted : 12/11/2005 3:36 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

youcefb9,

> The word "perl script" is off putting. no matter how great your product is, it
> relate to a reliance on a complex installation of the perl engine, setup

I'm sorry that you feel that way. From my perspective, there is nothing complex about the Perl installation…I even included an appendix in my book that describes how to (easily) set up Perl for use on a CD.

> just to dig the vlaue of one registry key.

My response was not intended to refer to looking for a single Registry key/value, but instead to show how powerful Perl can be for implementing or automating all sorts of analyst tasks.

> imagine a busy analyst that needed to deliver results now, there is no
> time to play around with scripts.

Imagine the power at an analysts fingertips if he has the scripts to retrieve the information he's looking for in an automated fashion, saving himself a great deal of time and effort.

> are you implementing a reverse engineering technique to read the registry
> content or you mean you are using the the Registry API to read the raw
> files?

Neither. The script(s) I mentioned open the raw Registry files in binary mode and parse through them, retrieving data. There is reverse engineering in the sense that the MS API is completely bypassed. This means that the same script can be used on Windows, Linux, Solaris, and even the Mac G5 (different endian architecture).

Harlan

 
Posted : 23/11/2005 4:20 pm
Page 2 / 2
Share: