±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

The registry and Proof of usage

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

keydet89
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 11, 05 19:53

Wow, this is pretty funny...I posted a link to a Perl script here not long ago that does exactly what you're asking, including "decrypting" the UserAssist keys.

The Perl script is run against the raw Registry file (in this case, NTUSER.DAT), and can be run on Linux, Windows, or even a Mac G5. The script can be "compiled" with Perl2Exe (I've done it) or PAR.

I still find it interesting how there's more of a reliance in this forum on closed source and commercial tools than there is on open source freeware, particularly those that (a) require a tiny bit more work than simply downloading an executable and (b) actually help you understand what's going on "under the hood".

Harlan  
 
  

youcefb9
Member
 

Re: The registry and Proof of usage

Post Posted: Nov 12, 05 04:36

Hi Harlan,
I didnt know about your tool but there is one truth I have to tell you, maybe this is shared by other readers as well.

The word "perl script" is off putting. no matter how great your product is, it relate to a reliance on a complex installation of the perl engine, setup, ...etc just to dig the vlaue of one registry key. imagine a busy analyst that needed to deliver results now, there is no time to play around with scripts.

I know that you can convert this to an exe, but for marketing sake avoid the word perl and you'll be laughing (by the way I have expienced the same situation with autopsy, TSK is a great tool but autopsy sucks).

As for the open source v commercial, I am an advocate of the open source approach and I believe they have an upper hand in certain area when compared to commercial tool. it's a long subject that requires a thread on its own.

by the way, you mentioned that you tool can read raw registry file what do you mean by that? are you implementing a reverse engineering technique to read the registry content or you mean you are using the the Registry API to read the raw files?


regards

youcef  
 
  

keydet89
Senior Member
 

Re: The registry and Proof of usage

Post Posted: Nov 23, 05 17:20

youcefb9,

> The word "perl script" is off putting. no matter how great your product is, it
> relate to a reliance on a complex installation of the perl engine, setup

I'm sorry that you feel that way. From my perspective, there is nothing complex about the Perl installation...I even included an appendix in my book that describes how to (easily) set up Perl for use on a CD.

> just to dig the vlaue of one registry key.

My response was not intended to refer to looking for a single Registry key/value, but instead to show how powerful Perl can be for implementing or automating all sorts of analyst tasks.

> imagine a busy analyst that needed to deliver results now, there is no
> time to play around with scripts.

Imagine the power at an analysts fingertips if he has the scripts to retrieve the information he's looking for in an automated fashion, saving himself a great deal of time and effort.

> are you implementing a reverse engineering technique to read the registry
> content or you mean you are using the the Registry API to read the raw
> files?

Neither. The script(s) I mentioned open the raw Registry files in binary mode and parse through them, retrieving data. There is reverse engineering in the sense that the MS API is completely bypassed. This means that the same script can be used on Windows, Linux, Solaris, and even the Mac G5 (different endian architecture).

Harlan  
 

Page 3 of 3
Page Previous  1, 2, 3