Using dual-tool verification we've experinced some issues using Windows Secret Explorer while examing the contents of the Windows protected storage area of the registry. The issue being that it was not finding items that EnCase was able to extract. Trouble is I happen to like WSE and the reports it produced - great to copy and paste into a report.
Does anyone have any recommendations for a WSE replacement?
Jonathan,
You could try PIEPR from Passcape. I was in correspondence with the author late last year requesting some improvements, but as yet have not seen any modifications.
http//
Allan S Hay
Thanks for that Allan - I'll have a look
I was in correspondence with the author late last year requesting some improvements, but as yet have not seen any modifications.
Strange you should say that - we had the same problem with WSE; wrote some emails to the author pointing out errors, spelling mistakes, etc and no reply or acknowledgement. Didn't inspire us with confidence!
What particular items did EnCase find that WSE did not?
Did FTK find them?
That is really not odd where WSE or any other program for that matter misses particular items.
This is where people cross validating results is a must.
I have found that most people don't even attempt to run data recovery applications on an image to see what could be found. Program A might only be set up to look for 100 file signatures, while Program B might look for 20 but those 20 were not part of Program A's 100, etc.
Examiners should look for files which help exonerate as well as to prove guilt.
What particular items did EnCase find that WSE did not?
Did FTK find them?
That is really not odd where WSE or any other program for that matter misses particular items.
WSE wasn't just missing particular items, it was failing to find anything at all in some cases where as EnCase with EDS found a number of keys. It is the inconsistency which is worrying.
I would say that missing items < not finding anything but still in the same boat.
>EnCase with EDS found a number of keys
Keys? as in master/private keys?
WSE does not look for those, as far as I know.
Those keys are used for SSL, ocde signing and most importantly EFS.
>EnCase with EDS found a number of keys
Keys? as in master/private keys?
WSE does not look for those, as far as I know.
Those keys are used for SSL, ocde signing and most importantly EFS.
No, as in registry key such as HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
[quote="Jonathan] No, as in registry key such as HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider
Hmm.. WSE *should* find those - the "encryption" is crappy due to the crappy key used.