Showing posts from May, 2012

Exploring Internet Explorer with RegRipper

In the last case... I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry.

RegRipper IE plugins mini-survey
Actually there exist 4 Internet Explorer plugins, being:
ie_main: (NTUSER) despite the reported description in the source file header ("the plugin Checks keys/values set by new version of Trojan.Clampi") the plugin parses (details later) the "Software\Microsoft\Internet Explorer\Main" key and it was written by Harlan Carvey at 19/09/2009.ie_settings: (NTUSER)the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the "Software\Microsoft\Windows\CurrentVersion\Internet Settings" key. Written by Harlan Carvey at 16/10/2009.…