We are writing to announce that Registry Decoder 1.3 has been released. This release includes a bug fix related to processing System Restore Points out of disk images and also includes a number of new plugins from Kevin Moore. Listed below are the descriptions of the new plugins from Kevin:
Map Network Drives by Volume Letter - This is very similar to your Map Network Drives MRU script, but ties the volume letter from the NTUSER files to the UNC path.
MUICache - I updated the plugin you guys had to include entries in the USRClass files
RecentDocs Ordered - This includes the MRUListEx ordering in the output.
SBP2 - This is basically the same as the USBSTOR script you guys had already created, but will parse entries for FireWire devices. The format and output is identical to the USBSTOR script.
ShellBagMRU - It does a lot of path resolution based on folder UUIDs. It alsos parse date values from Zip file subfolders, which are listed in plaintext in the entries in local system time.
ShellBags - I updated this one for the date values as well and made some other minor changes for consistency and cleanliness.
StreamMRU - These are very similar format to ShellBags and ShellBagMRU entries, so I created a parser for these as well. The output is basically a mix between the two previously mentioned.
SystemRun - I updated the system_run.py script to include some additional autorun values. I also changed the output a bit.
Windows Uninstall - this basically just parses the Windows Uninstall registry key values which provide info on programs that have an uninstall application or feature. This is useful for identifying
previously installed applications on a system that aren't listed elsewhere.
WinRAR Archive History - basically does what it says, parses the user registry file for information on recently mounted WinRAR files and their extraction location.
Obviously these plugins are very useful in a number of investigative scenarios and we are very happy that Kevin has taken his time to develop and contribute them to Registry Decoder.
The new release can be downloaded from our Google Code downloads page. The filename is regdecoderR98.zip.
If you have any questions or comments about the new release please leave a comment on this post or reach us at registrydecoder [@] digdeeply.com
Also, we are now offer Registry Decoder training: http://dfsforensics.blogspot.com/2012/06/announcing-registry-analysis-training.html. Please reach out to us with any questions or comments on the training.