Registry Decoder 1.4 Released and Updated Registry Decoder Live

Hello,

We are writing to announce updates to both Registry Decoder and Registry Decoder Live.

Registry Decoder, now version 1.4, had a number of enhancements, usability improvements, and updates to existing plugins. These include:

• Diffing enhancements:
• The ability to export diffs from both search and plugins
• Diff exports now include the matching entries
• Diff tabs have a color legend to explain the diffs
• All reporting fields add default file extensions if not provided by the user
• The 'value' of a registry 'name' is now added in search results
• Fixed a bug where the same entry could appear multiple times in search results
• Updates to the StreamMRU, ShellBags, ShellBagsMRU, and RecentDocsOrdered plugins by Kevin Moore

Registry Decoder Live had two changes. First, a warning pop up will now appear if the tool is not run as Administrator on Windows 7 and Vista machines. Second, we no longer create System Restore Points in order to access the currently active hives. Instead, all processing is now done on the running raw disk using libraries from the Sleuthkit. This ensures that no permissions errors will be encountered and that we can read any locked files.

The new files can be downloaded from the downloads pages per project:

Registry Decoder
Registry Decoder Live

On a side note, it was very exciting to see nearly 50 people using Registry Decoder at once during the workshop at DFRWS. We appreciate all the feedback we received from this workshop, and have already incorporated many of the fixes into this release.  We have also slotted some of the bigger fixes suggested into future releases.

Also, Harlan Carvey has been doing some extensive research into ShellBags, and has chronicled his efforts so far into two excellent blog posts (here and here). These are well worth while reads for anyone using ShellBags in your own investigations (which you should be!). 

If you have any questions or comments, please reply in the comments section or Email us at: registrydecoder [@] digdeeply.com

Registry Decoder 1.3 released!

Hello,

We are writing to announce that Registry Decoder 1.3 has been released. This release includes a bug fix related to processing System Restore Points out of disk images and also includes a number of new plugins from Kevin Moore.  Listed below are the descriptions of the new plugins from Kevin:

Map Network Drives by Volume Letter - This is very similar to your Map Network Drives MRU script, but ties the volume letter from the NTUSER files to the UNC path.

MUICache - I updated the plugin you guys had to include entries in the USRClass files

RecentDocs Ordered - This includes the MRUListEx ordering in the output.

SBP2 - This is basically the same as the USBSTOR script you guys had already created, but will parse entries for FireWire devices. The format and output is identical to the USBSTOR script.

ShellBagMRU - It does a lot of path resolution based on folder UUIDs. It alsos parse date values from Zip file subfolders, which are listed in plaintext in the entries in local system time.

ShellBags - I updated this one for the date values as well and made some other minor changes for consistency and cleanliness.

StreamMRU - These are very similar format to ShellBags and ShellBagMRU entries, so I created a parser for these as well. The output is basically a mix between the two previously mentioned.

SystemRun - I updated the system_run.py script to include some additional autorun values. I also changed the output a bit.

Windows Uninstall - this basically just parses the Windows Uninstall registry key values which provide info on programs that have an uninstall application or feature. This is useful for identifying
previously installed applications on a system that aren't listed elsewhere.

WinRAR Archive History - basically does what it says, parses the user registry file for information on recently mounted WinRAR files and their extraction location.

Obviously these plugins are very useful in a number of investigative scenarios and we are very happy that Kevin has taken his time to develop and contribute them to Registry Decoder.

The new release can be downloaded from our Google Code downloads page. The filename is regdecoderR98.zip.

If you have any questions or comments about the new release please leave a comment on this post or reach us at registrydecoder [@] digdeeply.com

Also, we are now offer Registry Decoder training: http://dfsforensics.blogspot.com/2012/06/announcing-registry-analysis-training.html. Please reach out to us with any questions or comments on the training.

Announcing Registry Analysis Training with Registry Decoder

Digital Forensics Solutions is now offering in-depth Registry Analysis training with an emphasis on hands-on practical tutorials. Participants can attend online or in the classroom. The class is designed to guide practitioners through the step-by-step examination of the Windows registry. The sessions are developed to make the most of the Registry Decoder, an open source forensics application designed for the acquisition and analysis of registry files from any computer running Windows XP through 7.

Registry Decoder consists of two components: a tool for online acquisition of registry files from a running machine and a tool for offline analysis of acquired registry files. Using these, investigators can quickly collect data and perform efficient, accurate analysis of information stored in the Registry.

Registry data is proving particularly useful for malware analysis, detecting data exfiltration, and reconstructing user behavior on and between computers.

The class will be offered both, online and in person near New Orleans, LA, and will be taught by Registry Decoder co-developer Lodovico Marziale and Senior Security Researcher Joe Sylve (@jtsylve).

Sessions are currently scheduled for August 16, 2012 and September 20, 2012.

For more information about training download the flyer or contact info@digdeeply.com.

LiME 1.1 Released

We are pleased to announce the release of LiME Forensics 1.1.

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

LiME 1.1 now supports three different output formats, including a new LiME format, which works with the new LiME address space which was recently added to the linux version of volatility.  The LiME format allows you to create compact RAM images, which contain information about the physical RAM's layout.  No more padding your images to fill the entire 4GB address space range, just because your 256MB of RAM is mapped at a high address!  The new LiME format allows easier analysis with Volatility and we're hoping other tools will adopt the format as well.

Head over to our Google Code page to download LiME 1.1!

Senior Security Researcher, Joe Sylve (@jtsylve), will be giving a presentation about LiME and Android Memory Analysis with Volatility at the SANS Digital Forensics and Incident Response Summit on Tuesday, June 26, 2012.  If you're attending, we'd love to meet you and hear what you think about LiME.

Registry Decoder nominated for a Forensics 4cast award!

Digital Forensics Solutions is pleased to announce that Registry Decoder has been nominated in the category of “Computer Forensic Software Tool of the Year” for the 2012 Forensic4cast Awards.  These awards are the closest that the forensics community has to the Pwnie awards, and are a great honor for the receiving parties. We are asking that if you are a Registry Decoder user and that the tool has been beneficial to you, that you take a minute and vote for us. You can also help by spreading the word of our nomination on Twitter, LinkedIn, Google+, and other social media outlets. We have put much effort into the research and development of the tool, and we take the wide adoption by the community as a sign that the effort has been worth it.  A good showing at the 4cast awards would solidify these beliefs, and would be a great achievement for us.

Announcing LiME Forensics

Digital Forensics Solutions is pleased to announce LiME Forensics.

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

LiME was first announced at ShmooCon 2012. Slides from that presentation are available here.

LiME source code and documentation is freely available for download from our Google Code page: http://code.google.com/p/lime-forensics/

In an interview with Linux.com, Senior Security Researcher, Joe Sylve (@jtsylve), explains what LiME is and a little about its background.

Registry Decoder Bug Fix Release

Registry Decoder 1.2, SVN revision 96, has just been released! As usual, it can be downloaded from the Google Code repository:

http://code.google.com/p/registrydecoder/downloads/list

We recommend that all Registry Decoder users upgrade as the following bugs are fixed:

1) Application hang if start/end filtering dates are entered with certain invalid input
2) Mactime timelinining format fix
3) Changed confusing timezone output for browsing, searching, and reports
4) Tabs generated from differencing operations can be closed by the user

We also have two new features:
1) Comma separated value (CSV) report format
2) Timeline data can be written directly to Excel (tab separated)

If you have sent us a bug report since version 1.1 you should receive an email this morning with confirmation that the issue was fixed. Please write back if you do not receive one of these emails.