Updated samparse.pl plugin
I received an email from randomaccess last night, and got a look at it this morning. In the email, he pointed out there there had been some changes to the SAM Registry hive as of Windows 8/8.1, apparently due to the ability to log into the system using an MSDN Live account. Several new values seem to be added to the user RID key, specifically, GivenName, SurName, and InternetUserName. He provided a sample SAM hive and an explanation of what he was looking for, and I was able to update the samparse.pl plugin, send him a copy, and update the GitHub repository, all in pretty short order.
This is a great example of what I've said time and again since I released RegRipper; if you need a plugin and don't feel that you can create or update one yourself, all you need to do is provide a concise description of what you're looking for, and some sample data. It's that easy, and I've always been able to turn a new or updated plugin around pretty quickly.
Now, I know some folks are hesitant to share data/hive files with me, for fear of exposure. I know people are afraid to share information for fear it will end up in my blog, and I have actually had someone tell me recently that they were hesitant to share something with me because they thought I would take the information and write a new book around it. Folks, if you take a close look at the blog and books, I don't expose data in either one. I've received hive files from two members of law enforcement, one of whom shared hive files from a Windows phone. That's right...law enforcement. And I haven't exposed, nor have I shared any of that data. Just sayin'...
Interestingly enough, randomaccess also asked in his email if I'd "updated the samparse plugin for the latest book", which was kind of an interesting question. The short answer is "no", I don't generally update plugins only when I'm releasing a new book. If you've followed this blog, you're aware that plugins get created or updated all the time, without a new book being released. The more extensive response is that I simply haven't seen a SAM hive myself that contains the information in question, nor has anyone provided a hive that I could used to update and test the plugin, until now.
And yes, the second edition of Windows Registry Forensics is due to hit the shelves in April, 2016.
This is a great example of what I've said time and again since I released RegRipper; if you need a plugin and don't feel that you can create or update one yourself, all you need to do is provide a concise description of what you're looking for, and some sample data. It's that easy, and I've always been able to turn a new or updated plugin around pretty quickly.
Now, I know some folks are hesitant to share data/hive files with me, for fear of exposure. I know people are afraid to share information for fear it will end up in my blog, and I have actually had someone tell me recently that they were hesitant to share something with me because they thought I would take the information and write a new book around it. Folks, if you take a close look at the blog and books, I don't expose data in either one. I've received hive files from two members of law enforcement, one of whom shared hive files from a Windows phone. That's right...law enforcement. And I haven't exposed, nor have I shared any of that data. Just sayin'...
Interestingly enough, randomaccess also asked in his email if I'd "updated the samparse plugin for the latest book", which was kind of an interesting question. The short answer is "no", I don't generally update plugins only when I'm releasing a new book. If you've followed this blog, you're aware that plugins get created or updated all the time, without a new book being released. The more extensive response is that I simply haven't seen a SAM hive myself that contains the information in question, nor has anyone provided a hive that I could used to update and test the plugin, until now.
And yes, the second edition of Windows Registry Forensics is due to hit the shelves in April, 2016.
Updated samparse.pl plugin
Reviewed by 0x000216
on
Wednesday, February 03, 2016
Rating: 5