Links and Stuff

The Forensic 4Cast Awards (live video-cast) were posted at the end of the last week; a huge thanks to everyone who submitted nominations and voted, and thank you to those who voted for me in the Best Digital Forensics Blog and Best Digital Forensics Book categories! Watching the video, it looks as if Lee and Simon had a great deal of fun creating it, and I hope that they follow it up next year! Maybe some folks can contribute prizes...nothing fancy, just something simple.

Over on the RegRipper forums, Ken Pryor had this to say about the recently released RipXP (quoted with permission):
I finally got time to try it out today and must say it's a brilliant piece of work. I have immediate use for RipXP for a case I'm working on. Harlan, I thank you for all you do for us. I would gladly pay for RegRipper and RipXP and I am very thankful you provide them. I haven't worked a case yet that RegRipper didn't play a part in and I expect RipXP will be much the same.

Thanks for the words, Ken!

James Macfarlane has released an update to the Parse::Win32Registry Perl module that is the basis for such tools as RegRipper and RipXP. The most notable change to this version of the module are the ability to extract and view security descriptor information.

James has also updated some of the scripts included with the module. Rather than trying to describe them in my own words, I'll use James':

regshell.pl is a new interactive console program for browsing registry files. It is a little simpler to use than regdump.pl as it provides tab completion if you have a functioning Term::Readline. It should work on Windows. (Note: ActiveState includes Term::ReadLine::Perl and Term::ReadLine::Zoid on Windows)

regview.pl has been improved to include searching and bookmarking.

regmultidiff.pl is a new console program for comparing multiple registry files. It improves on the old regdiff.pl by allowing the comparison of an unlimited number of registry files.

regcompare.pl is a new GTK+ program for comparing multiple registry files.

If you're using ActiveState's Perl on Windows, you can install this module via PPM:

C:\Perl>ppm install parse-win32registry

If you already have it installed (ie, v. 0.41 or earlier) you can upgrade the installation:

C:\Perl>ppm install parse-win32registry

I have to say, from my perspective, James has made a HUGE contribution to the forensic community! Many, many thanks, James!

Speaking of tool releases, Paraben has released their P2 eXplorer image mounting tool for free! You can download the demo, but you have to "purchase" the free product (and yes, submit a credit card number), but once you receive the registration key, you can activate the full features of the product. I've played with it a little bit, and I think that having access to tools like this that provide a single, needed functionality at a reasonable price point (free, in this case) can really do a lot for the community. While the interface isn't entirely intuitive (who uses A:\ and B:\ any more??), the only other things I really don't like are the rotating banner ads for other Paraben products on the right-hand pane on the interface, and the inability to completely disable the generation of MD5 hashes for images that are mounted/unmounted...I'd rather see something more obvious in the tool about read-only functionality. However, P2X does generate a log of activity, so that's nice to have and include in your case notes. All in all, a good, commercial grade replacement for ImDisk and VDKWin. P2X also allows you to mount other image format types besides raw, dd-style formats, such as EnCase, SMART, SafeBack, etc.

If you use Volatility (if you don't...why not!?!), then you really need to take a look at some of the new plugins posted by Michael Hale Ligh. Some look like they'd be extremely helpful in detecting malicious goings-on...very cool, and thanks to MHL!