RegRipper v2.8 avai...
 
Notifications
Clear all

RegRipper v2.8 available

13 Posts
7 Users
0 Likes
1,676 Views
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

If you're a RegRipper user, you may want to take a look at this blog post

http//windowsir.blogspot.com/2013/04/regripper-updates.html

thanks.

 
Posted : 30/04/2013 5:55 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

A continued, thank you.

 
Posted : 01/05/2013 9:03 pm
(@chris55728)
Posts: 49
Eminent Member
 

Thanks Harlan, appreciated.

 
Posted : 02/05/2013 3:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

Thanks, gents…I'd really appreciate your thoughts on the updates…

 
Posted : 02/05/2013 5:28 pm
Sonj
 Sonj
(@sonj)
Posts: 7
Active Member
 

System Hive - ControlSet001\Control\TimeZoneInformation
Bias and ActiveTimeBias values should be interpreted as signed integers, not unsigned

 
Posted : 17/05/2013 5:44 am
(@dennismcr)
Posts: 3
New Member
 

I think it says "password not required" when one is required on a Windows 7 Home Premium, Version 6.1, SP1 machine. This applied to 2 user accounts on the same computer.

My reasons for saying this are

Ophcrack has found a password.
There is a password hint.
There was an incorrect password logon attempt at 0749
There was a logon at 0755
The computer was seized at 0830
ForensicUserInfo also says a password is required.

Unfortunately I'm unable to VM this computer.

 
Posted : 17/05/2013 2:12 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Yeah I've found ophcrack to be reliable at telling if there was a password on an account. I vaguely remember harlan mentioning in one of his books that the "password required' doesnt relate to whether there is a password currently set, but I may be mistaken; unfortunately my copies of the books are at work so I can't check.

Unfortunately I'm unable to VM this computer.

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

 
Posted : 17/05/2013 5:09 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

Thanks for the tip on VM troubleshooting. I wasn't familiar with justaskweg.com

 
Posted : 17/05/2013 9:16 pm
(@randomaccess)
Posts: 385
Reputable Member
 

how come you aren't able to get a VM working? have you checked out the tutorials on justaskweg.com; I've found them incredibly helpful

Thanks for the tip on VM troubleshooting. I wasn't familiar with justaskweg.com

no problem. jimmy is also very helpful if you post a comment on his blog; he'll respond quite quickly with a potential fix.
also ive heard that a new version of liveview is floating around that also might work

 
Posted : 18/05/2013 3:16 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
Topic starter
 

I think it says "password not required" when one is required on a Windows 7 Home Premium, Version 6.1, SP1 machine. This applied to 2 user accounts on the same computer.

My reasons for saying this are

Ophcrack has found a password.
There is a password hint.
There was an incorrect password logon attempt at 0749
There was a logon at 0755
The computer was seized at 0830
ForensicUserInfo also says a password is required.

Unfortunately I'm unable to VM this computer.

If you're able to show/demo that the flag setting is incorrectly represented, please do so and I'll be more than happy to address it.

The "password not required" entry is a flag setting, and means simply that…that a password is not required
http//technet.microsoft.com/en-us/library/cc755423(v=ws.10).aspx

It does NOT mean that the account does not have a password…it means that if account policies are set on the system, with respect to password complexity, length, etc., that they do not apply to that account. That's all it means. Again, it does NOT mean that the account does not have a password.

There is a sidebar on Pg 93 of "Windows Registry Forensics" that addresses this setting.

 
Posted : 20/05/2013 3:32 pm
Page 1 / 2
Share: