ZENA FORENSICS

Last weeks... it cames out that some RegRipper Plugins have errors and/or do not parse correctly/at all the desired keys. This fact should not be unexpected since there exist many plugins (from far less many contributors, unfortunately) and since they should work on xp-(s)vista-7 Windows OSes: errors are around the corner. What is really unexpected is the delay with which they were detected by the DFIR community (included me, of course). Let's start with the first cas e.   timezone.pl This plugin " accesses the System hive file to get the contents of the TimeZoneInformation key ", and it's one of the first-most important information I usually get from the System hive, since I need to understand when things happened. That's the output coming from version 20110901 , executed on a XP system: Launching timezone v.20110901 timezone v.20110901 (System) Get TimeZoneInformation key contents TimeZoneInformation key ControlSet001\Control

A long time ago... It has been a long time since last post, I must sadly admit that. I could argue with many good reasons for this silence, but it's better to avoid useless-reasonable thoughts. I'll say just a couple of things: first, I'd like to share my 2cents so it was not a matter of will; secondarily it's not a matter of missing topics. But sharing is tiresome and labored especially when dealing with DFIR and using a different language (that could be easily spotted, couldn't it?). Finally time scheduling for blogging got 0 slots, and this is the result. OK, let's keep in mind these gold thoughts and let's go (a little) further. EVTX As everybody knows, the EVTX is the Windows Event Log File format used in Microsoft Windows OSes starting from Vista/2008 up to now. When facing with Windows XP / 2003, the event log file format used was EVT. There exist on the Net enough resources describing in (great?) details these formats. In the DFIR t