Digital Forensics Solutions is announcing the release of Registry Decoder 1.1, which has many completely new features and updates as well as bugfixes! Please see our previous blog post here for the initial release of Registry Decoder.
New Features include:
- Support for processing Encase (E01) files and split images
- Full wildcard searching
- Adding evidence after a case is created
- Exporting of paths and their key/value pairs
- Timelining of keys from the GUI into the Sleuthkit format
- Running plugins from the command line
- Running custom plugins outside the main executable/package
- Support for dual boot machines
New Features include:
- Support for processing Encase (E01) files and split images
- Full wildcard searching
- Adding evidence after a case is created
- Exporting of paths and their key/value pairs
- Timelining of keys from the GUI into the Sleuthkit format
- Running plugins from the command line
- Running custom plugins outside the main executable/package
- Support for dual boot machines
Updates include:
- Reports now have their extension appended if the user doesn't enter them
- Reports can now be filtered by either deleting results or shift/ctrl selecting results
- Users can right click within the Browse View to search directly for paths
- The name/value box in the Browse View is now sortable
- We also have six new plugins from Kevin Moore of CERT!
Major changes since 1.0:
BROKEN BACKWARDS COMPATIBILITY
All evidence created by version 1.0 of the online tool (regdecoderlive) and cases created by previous versions of the offline tool WILL NOT BE compatible with version 1.1
All evidence created by version 1.0 of the online tool (regdecoderlive) and cases created by previous versions of the offline tool WILL NOT BE compatible with version 1.1
We regret that we had to break compatibility with version 1.0 (and it won't happen again!), but the changes were significant and handling old data structures and databases would have required very ugly special-casing within the handling code.
The date format to filter searches has been changed to “yyyy/mm/dd” from “mm/dd/yyyy” so that dates can be directly copied & pasted from plugin and search outputs as well as from the Browse View.
Current Plans for Registry Decoder:
Registry Decoder version 1.1 currently has a “feature freeze” as we let the forensics community react and provide feedback to the new features. The only development that will continue will be that of plugins since they do not require any core changes or enhancements.
Plugin Development:
With this release, we are also releasing our official API documentation. The API is meant to be useable by even non-programmers, and many of our plugins are less than 10 lines of Python code. The latest version of the API can be found in the downloads section of Registry Decoder.
We also want to concentrate on reaching out to other practitioners and research groups (both professional and academic) in an attempt to proliferate Registry Decoder throughout these communities. We would appreciate any plugins contributed by these communities.
Existing plugins can be found in templates/template_files within the source code tree or can be viewed online at:
To make development easier, we have created the ability to run plugins from outside the core plugins directory as well as from the command line. Full details of how to accomplish this are explained in the plugins API documentation.
Mailing List:
We have created a mailing list for future updates, announcements, and ongoing discussion of the project. Please join the list http://groups.google.com/group/registry-decoder/ if you are interested.
Training:
We are now offering Registry Decoder training to all interested parties. Please see our training page for details and contact information.
Downloads and Instructions:
As always, the two tools, as well as their instructions, can be found on their respective Google code projects http://code.google.com/p/registrydecoder/ and http://code.google.com/p/regdecoderlive/.
Before ending this post, we would like to thank a few people who helped make this release a success. In no particular order... Tim Morgan, the author of reglookup, who helped us troubleshoot a few issues we had with the library; Michael Cohen, the author of pytsk, who helped develop in-library support for Encase and split images; and Kevin Moore of CERT, as he contributed a number of complex plugins to the project.
We would also like to thank all the beta testers that sent bug reports and feedback.
If you have any questions or comments, please either leave a comment on the blog or email registrydecoder@digdeeply.com
Thanks for this~!
ReplyDeleteThanks for sharing
ReplyDelete