ZENA FORENSICS

In DFIR activities timelines are often determinant to understand what happened (lot of refs here ). Luckily Kristinn Gudjonsson provided the community with the great log2timeline tool ( here , from now l2t ) that, along with the invaluable Brian Carrier 's SleuthKit , gives a (temporal) order to chaos . But l2t is not currently considering valuable artifacts coming from wtmp / btmp files on Linux systems. wtmp (utmp? btmp!) For a rapid introduction to those files let's see what wikipedia says about them: " utmp, wtmp, btmp and variants such as utmpx, wtmpx and btmpx are files on Unix-like systems that keeps track of all logins and logouts to the system . The utmp file keeps track of the current login state of each user . The wtmp file records all logins and logouts history . The btmp file records failed login attempts . The utmp, wtmp and btmp files were never a part of any official Unix standard, such as Single UNIX Specificat

In the last case... I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry. RegRipper IE plugins mini-survey Actually there exist 4 Internet Explorer plugins, being: ie_main: ( NTUSER ) despite the reported description in the source file header (" the plugin Checks keys/values set by new version of Trojan.Clampi ") the plugin parses (details later) the " Software\Microsoft\Internet Explorer\Main " key and it was written by Harlan Carvey at 19/09/2009. ie_settings: ( NTUSER ) the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the " Software\Microsoft\Windows\CurrentVersion\Inter