Linkz
Analysis
This post from the Digital Detective site discusses how to manually identify the time zone of a system from the image. This information is maintained in the Registry, and RegRipper has a plugin for this (as part of the default distro).
Plugins
I saw this post recently on the SANS ISC blog, which has to do with software restriction policies on a system. I thought...hey, that's pretty cool, AND there's a Registry key listed. From there it was a simple matter to research the MS site and see what other information I could find, and I began to see the possible value of the data derived from the DefaultLevel value (called a "key" in the blog post) to an analyst. In a matter of minutes, I had a functioning RegRipper plugin.
Interestingly enough, the more I research this, the more I see the CodeIdentifiers key being of some level of importance, not only to forensic analysts, but also to system administrators. After all, if it weren't, why would so many bits of malware be modifying or deleting entries beneath this key?
This post from the Digital Detective site discusses how to manually identify the time zone of a system from the image. This information is maintained in the Registry, and RegRipper has a plugin for this (as part of the default distro).
Plugins
I saw this post recently on the SANS ISC blog, which has to do with software restriction policies on a system. I thought...hey, that's pretty cool, AND there's a Registry key listed. From there it was a simple matter to research the MS site and see what other information I could find, and I began to see the possible value of the data derived from the DefaultLevel value (called a "key" in the blog post) to an analyst. In a matter of minutes, I had a functioning RegRipper plugin.
Interestingly enough, the more I research this, the more I see the CodeIdentifiers key being of some level of importance, not only to forensic analysts, but also to system administrators. After all, if it weren't, why would so many bits of malware be modifying or deleting entries beneath this key?