SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

RegRipper: Ripping Registries With Ease

Harlan Carvey's RegRipper, available at, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.

Example Screen Shot

PTK Live and Indexed keyword search

A forensics analysis tool has to be able to execute thorough keyword search operations. PTK's search tool is be able to isolate the keywords searched even in the most complex and unusual situations. It is possible to verify if a keyword is in portions of the file system that are hard to analyze whether this is due to chance or user intent. Here are examples of the most interesting situations:

'' allocated/unallocated space
'' crosses two allocated/unallocated files
'' crosses consecutive sectors in a file
'' crosses a file into slack
'' slack space
'' crosses fragmented sectors
'' Resident allocated/unallocated file
'' Resident alternate data stream in an allocated/unallocated file/directory
'' Non-resident allocated/unallocated file

All these situations can further vary depending on the file system under investigation. For instance, NTFS offers features that can be used to "hide" a file, consider the

... Continue reading PTK Live and Indexed keyword search

Dates from Unallocated Space

By John McCash

A recent podcast I listened to (Forensic 4cast - Well worth the time to listen to it) made a statement which I took as an implication that files recovered from unallocated space were useless in most investigations because they lacked the filesystem metadata, specifically the MAC times. While it's true that the lack of this data can be a significant handicap, I disagreed rather strongly with that, and my disagreement forms the basis for this blog entry. I did follow up with Lee (Hi Lee!) at Forensic 4cast, and such a blanket implication was unintentional. Nonetheless, I think it worthwhile to enumerate for the community a number of points to consider when sieving through unallocated space.

Dates in particular, as well as other file metadata, can be extracted from many file types. Additionally, often filesystem


PointSec Decryption - A Case for Decryption of the Original

By J. Michael Butler

A while back, I posted about EnCase and PointSec — "Encase and PointSec - I'm Not Feeling the Love". I wrote about my frustrations with the difficulties of decryption for a forensic exam. My main point was that EnCase and PointSec need to work together to provide forensic examiners a way to view the PointSec drive in EnCase simply by entering the PointSec password. I also detailed my process for decryption which involved the use of VMWare and a virtual image of the encrypted drive.

PowerShell Timestamp Manipulation

Manipulating timestamps on Unix and Linux systems is as simple as touching a file on the file system. Of course, the individual attempting to modify timestamps will need to have permissions to do so on the file(s) in question.

On Windows based systems changing time stamps has historically required the use of third-party tools. However, Windows 7 and Windows Server 2008 will reportedly ship with Windows PowerShell installed.

Among the many advanced capabilities of Windows PowerShell is the ability to modify three different timestamps for Windows file systems. These are the file creation time, last access time and modification time. Forensic analysts should also be familiar with the metadata change time that is updated to reflect changes in