SANS Digital Forensics and Incident Response Blog: Tag - regripper

Digital Forensics Case Leads: Ready, Forensicate, Aim

Ready. Forensicate. Aim. Okay, seriously, don't do that. You know the correct order, right? If not, Chris Pogue spent part of last year presenting on the Sniper Forensics methodology, developed by the incident response team at TrustWave's SpiderLabs, and has what you need. Even if you already know the proper order is Ready, Aim, Forensicate, … Continue reading Digital Forensics Case Leads: Ready, Forensicate, Aim

Turning RegRipper into WindowsRipper

Harlan Carvey has given us a great tool inRegRipper andit's undeniable that many examiners have found it to be a useful addition to their toolbox. RegRipper has a very specific purpose - parse the Windows registry. With some modification, we can turn RegRipper into WindowsRipper, an extremely powerful Windows triage tool. Using WindowsRipper we can parse much more than just the registry.

Adam James, a coworker who did the coding for this project, and I took a look at RegRipper and decided it could be morphed nicely into an amazing triage tool. The first thing Adam did wasmodify RegRipper to work against a mounted drive. You can read his explanation in the previous post or simply know that his code allows RegRipper to look at a mounted drive, find the Windows