Hello,
We are writing to announce that Registry Decoder 1.3 has been released. This release includes a bug fix related to processing System Restore Points out of disk images and also includes a number of new plugins from Kevin Moore. Listed below are the descriptions of the new plugins from Kevin:
Map Network Drives by Volume Letter - This is very similar to your Map Network Drives MRU script, but ties the volume letter from the NTUSER files to the UNC path.
MUICache - I updated the plugin you guys had to include entries in the USRClass files
RecentDocs Ordered - This includes the MRUListEx ordering in the output.
SBP2 - This is basically the same as the USBSTOR script you guys had already created, but will parse entries for FireWire devices. The format and output is identical to the USBSTOR script.
ShellBagMRU - It does a lot of path resolution based on folder UUIDs. It alsos parse date values from Zip file subfolders, which are listed in plaintext in the entries in local system time.
ShellBags - I updated this one for the date values as well and made some other minor changes for consistency and cleanliness.
StreamMRU - These are very similar format to ShellBags and ShellBagMRU entries, so I created a parser for these as well. The output is basically a mix between the two previously mentioned.
SystemRun - I updated the system_run.py script to include some additional autorun values. I also changed the output a bit.
Windows Uninstall - this basically just parses the Windows Uninstall registry key values which provide info on programs that have an uninstall application or feature. This is useful for identifying
previously installed applications on a system that aren't listed elsewhere.
WinRAR Archive History - basically does what it says, parses the user registry file for information on recently mounted WinRAR files and their extraction location.
Obviously these plugins are very useful in a number of investigative scenarios and we are very happy that Kevin has taken his time to develop and contribute them to Registry Decoder.
The new release can be downloaded from our Google Code downloads page. The filename is regdecoderR98.zip.
If you have any questions or comments about the new release please leave a comment on this post or reach us at registrydecoder [@] digdeeply.com
Also, we are now offer Registry Decoder training: http://dfsforensics.blogspot.com/2012/06/announcing-registry-analysis-training.html. Please reach out to us with any questions or comments on the training.
Friday, June 29, 2012
Tuesday, June 26, 2012
Announcing Registry Analysis Training with Registry Decoder
Digital Forensics Solutions is now offering in-depth Registry Analysis training with an emphasis on hands-on practical tutorials. Participants can attend online or in the classroom. The class is designed to guide practitioners through the step-by-step examination of the Windows registry. The sessions are developed to make the most of the Registry Decoder, an open source forensics application designed for the acquisition and analysis of registry files from any computer running Windows XP through 7.
Registry Decoder consists of two components: a tool for online acquisition of registry files from a running machine and a tool for offline analysis of acquired registry files. Using these, investigators can quickly collect data and perform efficient, accurate analysis of information stored in the Registry.
Registry data is proving particularly useful for malware analysis, detecting data exfiltration, and reconstructing user behavior on and between computers.
The class will be offered both, online and in person near New Orleans, LA, and will be taught by Registry Decoder co-developer Lodovico Marziale and Senior Security Researcher Joe Sylve (@jtsylve).
Sessions are currently scheduled for August 16, 2012 and September 20, 2012.
For more information about training download the flyer or contact info@digdeeply.com.
The class will be offered both, online and in person near New Orleans, LA, and will be taught by Registry Decoder co-developer Lodovico Marziale and Senior Security Researcher Joe Sylve (@jtsylve).
Sessions are currently scheduled for August 16, 2012 and September 20, 2012.
For more information about training download the flyer or contact info@digdeeply.com.
Sunday, June 24, 2012
LiME 1.1 Released
We are pleased to announce the release of LiME Forensics 1.1.
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
LiME 1.1 now supports three different output formats, including a new LiME format, which works with the new LiME address space which was recently added to the linux version of volatility. The LiME format allows you to create compact RAM images, which contain information about the physical RAM's layout. No more padding your images to fill the entire 4GB address space range, just because your 256MB of RAM is mapped at a high address! The new LiME format allows easier analysis with Volatility and we're hoping other tools will adopt the format as well.
Head over to our Google Code page to download LiME 1.1!
Senior Security Researcher, Joe Sylve (@jtsylve), will be giving a presentation about LiME and Android Memory Analysis with Volatility at the SANS Digital Forensics and Incident Response Summit on Tuesday, June 26, 2012. If you're attending, we'd love to meet you and hear what you think about LiME.
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
LiME 1.1 now supports three different output formats, including a new LiME format, which works with the new LiME address space which was recently added to the linux version of volatility. The LiME format allows you to create compact RAM images, which contain information about the physical RAM's layout. No more padding your images to fill the entire 4GB address space range, just because your 256MB of RAM is mapped at a high address! The new LiME format allows easier analysis with Volatility and we're hoping other tools will adopt the format as well.
Head over to our Google Code page to download LiME 1.1!
Senior Security Researcher, Joe Sylve (@jtsylve), will be giving a presentation about LiME and Android Memory Analysis with Volatility at the SANS Digital Forensics and Incident Response Summit on Tuesday, June 26, 2012. If you're attending, we'd love to meet you and hear what you think about LiME.
Subscribe to:
Posts (Atom)