Showing posts from May, 2012

Exploring Internet Explorer with RegRipper

In the last case... I was feeling that some Internet Explorer artifacts were missing, so I decided to take a look at RegRipper plugins that parse the user registry NTUSER.DAT to see if they could help me. Honestly I have not a clear idea on where to search for a sign since I usually get information from IE cache files and not from registry. RegRipper IE plugins mini-survey Actually there exist 4 Internet Explorer plugins, being: ie_main: ( NTUSER ) despite the reported description in the source file header (" the plugin Checks keys/values set by new version of Trojan.Clampi ") the plugin parses (details later) the " Software\Microsoft\Internet Explorer\Main " key and it was written by Harlan Carvey at 19/09/2009. ie_settings: ( NTUSER ) the plugin reports the User Agent string used by IE when visiting sites and the ZoneSecurityUpgrade value inside the " Software\Microsoft\Windows\CurrentVersion\Inter