Menu
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Print
1 minute reading time (36 words)

More Windows FE and triage notes (WindowsRipper?)

Digital Forensics
Brett Shavers
Wednesday, 02 June 2010
1289 Hits
8 Comments

Matt Churchhill (http://mattchurchill.net/2010/06/windowsripper/) has been doing some work to supercharge RegRipper.  Take a look at his video and while watching, consider how this can affect your method to triage a computer when booted to WinFE...

[youtube=http://www.youtube.com/watch?v=r4nBUXYGkBw&hl=en_US&fs=1&border=1]

Tweet
Tags:
winfe
Internet Evidence Finder (IEF): interview with Jad...
Windows FE and Triage webinar

About the author

Brett Shavers

Brett Shavers

 

Comments 8

Guest
Guest - Rob on Wednesday, 02 June 2010 10:30

Am I correct that once you assign a drive letter to the Volume you are going to be touching the Drive in WinFE?

0 Cancel Reply
Am I correct that once you assign a drive letter to the Volume you are going to be touching the Drive in WinFE?
Cancel Update Comment
Guest
Guest - Anonymous on Wednesday, 02 June 2010 11:09

If you set a volume to read only, the disk is written to (offset 0x417). If a disk is set to read only, it is not written to. So as long as you don't set the volume to read only...

0 Cancel Reply
If you set a volume to read only, the disk is written to (offset 0x417). If a disk is set to read only, it is not written to. So as long as you don't set the volume to read only...
Cancel Update Comment
Guest
Guest - Matt C on Wednesday, 02 June 2010 11:32

Thanks for the link, Brett. I hadn't thought of putting this on WinFE before, but it's a great idea.

0 Cancel Reply
Thanks for the link, Brett. I hadn't thought of putting this on WinFE before, but it's a great idea.
Cancel Update Comment
Guest
Guest - Brett Shavers on Wednesday, 02 June 2010 11:47

As fast as RegRipper is, and that it now can be pointed to a mounted drive, plus your addition of adding multiple CLI apps to be called within RegRipper, I can only imagine how quickly a triage can be done on a computer onsite. A bare-bone WinFE disk with only FTK Imager Lite (free) and RegRipper (free) set up as you have worked on means that you can have a lightweight, easy to use, triage (and subsequent imaging tool) at the cost of...a CD Rom...

0 Cancel Reply
As fast as RegRipper is, and that it now can be pointed to a mounted drive, plus your addition of adding multiple CLI apps to be called within RegRipper, I can only imagine how quickly a triage can be done on a computer onsite. A bare-bone WinFE disk with only FTK Imager Lite (free) and RegRipper (free) set up as you have worked on means that you can have a lightweight, easy to use, triage (and subsequent imaging tool) at the cost of...a CD Rom...
Cancel Update Comment
Guest
Guest - Rob on Wednesday, 02 June 2010 21:29

Not being Fluent in RegRipper... To be "precise" with it..do you need specific plug-in's? If I just want to see the Recent File List from Windows Media Player (For example...) a plug in would have to target that key to get the output I need... Is it, as it sits "off the shelf" going to report on the entire registry..?

0 Cancel Reply
Not being Fluent in RegRipper... To be "precise" with it..do you need specific plug-in's? If I just want to see the Recent File List from Windows Media Player (For example...) a plug in would have to target that key to get the output I need... Is it, as it sits "off the shelf" going to report on the entire registry..?
Cancel Update Comment
Guest
Guest - Brett Shavers on Thursday, 03 June 2010 01:59

You can choose the plugins to run, or even write your own plugins if what you are looking for isn't part of the RegRipper package. You can check out the regripper.net site and forum for better answers from the developer too (Harlan Carvey).

0 Cancel Reply
You can choose the plugins to run, or even write your own plugins if what you are looking for isn't part of the RegRipper package. You can check out the regripper.net site and forum for better answers from the developer too (Harlan Carvey).
Cancel Update Comment
Guest
Guest - ME on Friday, 07 June 2019 04:08

NO LINK WORKS FROM YOUR PAGE

0 Cancel Reply
NO LINK WORKS FROM YOUR PAGE
Cancel Update Comment
Brett Shavers
Brett Shavers on Friday, 07 June 2019 11:48

To be fair...this particular blog post is almost 10 years old...

0 Cancel Reply
To be fair...this particular blog post is almost 10 years old...
Cancel Update Comment
Already Registered? Login Here
Guest
Sunday, 15 September 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Brett's blog

Posts List

Tag Cloud

investigation presentations Registry Forensics X-Ways Forensics Practitioner's Guide Hacker North korea case studies imaging book Windows Forensic Environment wiretap X-Ways Forensics bitcoin forensics training University of Washington Jimmy Weg RegRipper Placing the Suspect Behind the Keyboard Hiding Behind the Keyboard dfir forensics Bitcoin Forensics Virtualization windows forensic environment tor browser phishing email bitcoin gmail privacy investigations winfe writing windows fe 4cast Volume Shadow Copy surveillance

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.

Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!

http://www.patreon.com/DFIRTraining 

© 2019 Brett Shavers