Showing posts from April, 2012

A tale on RegRipper Plugins unnoticed

Last weeks... it cames out that some RegRipper Plugins have errors and/or do not parse correctly/at all the desired keys. This fact should not be unexpected since there exist many plugins (from far less many contributors, unfortunately) and since they should work on xp-(s)vista-7 Windows OSes: errors are around the corner. What is really unexpected is the delaywithwhich they weredetected by the DFIR community (included me, of course). Let's start with the first case.
This plugin "accesses the System hive file to get the contents of the TimeZoneInformation key", and it's one of the first-most important information I usually get from the System hive, since I need to understand when things happened. That's the output coming from version 20110901, executed on a XP system:
Launching timezone v.20110901
timezone v.20110901
(System) Get TimeZoneInformation key contents

TimeZoneInformation key
LastWrite Time Mon Mar 28 08:…

Recipe: EVTX, LogParser, Perl

A long time ago...
It has been a long time since last post, I must sadly admit that. I could argue with many good reasons for this silence, but it's better to avoid useless-reasonable thoughts. I'll say just a couple of things: first, I'd like to share my 2cents so it was not a matter of will; secondarily it's not a matter of missing topics. But sharing is tiresome and labored especially when dealing with DFIR and using a different language (that could be easily spotted, couldn't it?). Finally time scheduling for blogging got 0 slots, and this is the result. OK, let's keep in mind these gold thoughts and let's go (a little) further.
EVTXAs everybody knows, the EVTX is the Windows Event Log File format used in Microsoft Windows OSes starting from Vista/2008 up to now. When facing with Windows XP / 2003, the event log file format used was EVT. There exist on the Net enough resources describing in (great?) details these formats. In the DFIR the EVTX files co…