Offline Regisry Par...
 
Notifications
Clear all

Offline Regisry Parser posted

5 Posts
2 Users
0 Likes
402 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

All,

I've posted my offline Registry parser. See my blog entry

http//windowsir.blogspot.com/2005/08/offline-regisry-parser.html

If you do download and try this script, I'd appreciate comment/feedback.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 01/09/2005 1:44 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Hi Harlan,

Tried it on a couple of *.bak files (system, software) and it worked fine. As you said its best if you know before hand what you are looking for and then search/grep the file.

It’s a little easier on the eyes opening in a spreadsheet although a few of the entries are slightly out of whack. I am not much of a programmer limited to batches and simple scripts so forgive my ignorance when I say that I received a

“wide character in print at c\perl\reg.pl line 133” as standard output while running the parser and don’t know if it has any bearing on the outcome…

Andrew-

 
Posted : 03/09/2005 6:57 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Andy,

Thanks for your comments.

It’s a little easier on the eyes opening in a spreadsheet…

Well, it is Perl and open-source, so that such things can be easily modified.

…although a few of the entries are slightly out of whack.

I'm not sure what that means. Are they incorrect, do they "look funny", or what?

“wide character in print at c\perl\reg.pl line 133”

Interesting. What kind of system where these files from? NT, 2K, XP, or 2K3?

Again, thanks for your comments.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 04/09/2005 3:35 pm
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

Harlan,

The file was taken from an XP pro machine (system.bak).

Sorry about the "out of whack"……I think the ones that didn't look "right" as I scrolled quickly through the file where just ASCII from some of the REG_Binary entries, and therefore normal output..?

Andrew-

 
Posted : 05/09/2005 3:50 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

As far as "wide character", I'll have to take a look…maybe run the program against some system.bak files I may have available.

Yes, those "whacked out" values are the REG_BINARY data types, uninterpretted. I've rewritten the code for that script, to make it cleaner and easier to manage/debug, and included a translation routine for binary data types.

The next step is to use the newer code as a basis for a script that searches for specific values. For example, the user can input "HKLM\System\CurrentControlSet\Control\CrashControl\DumpFile", and the script will (a) determine which offline ControlSet to query, (b) locate the value, and © return the data.

Thanks for your input.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 05/09/2005 3:52 pm
Share: