±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35765
New Yesterday: 3 Visitors: 177

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Offline Regisry Parser posted

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

keydet89
Senior Member
 

Offline Regisry Parser posted

Post Posted: Sep 01, 05 01:44

All,

I've posted my offline Registry parser. See my blog entry:

windowsir.blogspot.com...arser.html

If you do download and try this script, I'd appreciate comment/feedback.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

andy1500mac
Senior Member
 

Re: Offline Regisry Parser posted

Post Posted: Sep 03, 05 06:57

Hi Harlan,

Tried it on a couple of *.bak files (system, software) and it worked fine. As you said its best if you know before hand what you are looking for and then search/grep the file.

It’s a little easier on the eyes opening in a spreadsheet although a few of the entries are slightly out of whack. I am not much of a programmer limited to batches and simple scripts so forgive my ignorance when I say that I received a:

“wide character in print at c:\perl\reg.pl line 133” as standard output while running the parser and don’t know if it has any bearing on the outcome…

Andrew-  
 
  

keydet89
Senior Member
 

Re: Offline Regisry Parser posted

Post Posted: Sep 04, 05 15:35

Andy,

Thanks for your comments.

It’s a little easier on the eyes opening in a spreadsheet...

Well, it is Perl and open-source, so that such things can be easily modified.

...although a few of the entries are slightly out of whack.

I'm not sure what that means. Are they incorrect, do they "look funny", or what?

“wide character in print at c:\perl\reg.pl line 133”

Interesting. What kind of system where these files from? NT, 2K, XP, or 2K3?

Again, thanks for your comments.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 
  

andy1500mac
Senior Member
 

Re: Offline Regisry Parser posted

Post Posted: Sep 05, 05 03:50

Harlan,

The file was taken from an XP pro machine (system.bak).

Sorry about the "out of whack"......I think the ones that didn't look "right" as I scrolled quickly through the file where just ASCII from some of the REG_Binary entries, and therefore normal output..?

Andrew-  
 
  

keydet89
Senior Member
 

Re: Offline Regisry Parser posted

Post Posted: Sep 05, 05 15:52

As far as "wide character", I'll have to take a look...maybe run the program against some system.bak files I may have available.

Yes, those "whacked out" values are the REG_BINARY data types, uninterpretted. I've rewritten the code for that script, to make it cleaner and easier to manage/debug, and included a translation routine for binary data types.

The next step is to use the newer code as a basis for a script that searches for specific values. For example, the user can input "HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile", and the script will (a) determine which offline ControlSet to query, (b) locate the value, and (c) return the data.

Thanks for your input.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com  
 

Page 1 of 1