Brett, ... Now, that's a couple of good points. I completely agree. Cheers, Stefan. -- Stefan Kelm <skelm@...> BFK edv-consulting GmbH...
713
Stefan Kelm
sk081557...
Aug 3, 2009 2:07 pm
Harlan, ... I just checked RipXP against a number of different hives and plugins. This is really, really useful - thanks a lot! Cheers, Stefan. -- Stefan Kelm...
714
H C
keydet89
Aug 3, 2009 3:02 pm
Stefan, ... I'm glad you found it useful! h...
715
H C
keydet89
Aug 4, 2009 1:35 pm
Jason, ... Thanks for the email. What specific information can you recommend about the location of Registry hive files within a Volume Shadow Copy? thanks, h...
716
Tony Rodrigues
fotografo_to...
Aug 4, 2009 2:14 pm
Harlan, FYI, I posted something about RegRipper and RegXP in my blog. Feel free to check it and comment ! []s -- Tony Rodrigues, CISSP, CFCP Forense...
717
H C
keydet89
Aug 4, 2009 2:30 pm
Tony, ... Thanks! Unfortunately, I don't know what it says... ;-( h...
718
Tony Rodrigues
fotografo_to...
Aug 4, 2009 2:44 pm
hahahaha yes, it's Portuguese. I decided to write only in Portuguese, because there are thousands of excellent blogs in English. I usually point my readers to...
719
Troy
ntevidence
Aug 5, 2009 2:24 am
The most effective way to look at shadow copies is to mount or image the shadow copies. The registry hive files will be found in the same place in the mounted...
720
fpi
francesco.pi...
Aug 6, 2009 10:33 am
Hi all, I'm wondering about what you consider a trusted shell and, if possible, what do you use to get a trusted shell. During live CF and (especially) IR, you...
721
H C
keydet89
Aug 6, 2009 3:24 pm
... Overall, this is a very interesting topic, exactly for the reasons you've pointed out. For one, there doesn't seem to be a way to provide...
722
Greg Kelley
gwk1973
Aug 6, 2009 3:54 pm
Has anyone come across a tool that will iterate through all of the registry keys and dump out the registry key along with the last written date for the key? ...
723
hogfly
forensicir
Aug 6, 2009 3:55 pm
I swear we had this conversation almost a year and a half ago. @fpi, One way to approach this problem is with Windows SxS assembly manifests. George Garner...
724
fpi
francesco.pi...
Aug 6, 2009 4:46 pm
... I have a limited experience in IR and malware but no, I had not seen that. ... As you pointed out being redundant is invaluable (do not trust on a single...
725
Gary Funck
garyfunck
Aug 6, 2009 6:00 pm
... Below, an excerpt from a post that I sent on 7/19/09. Regtimeline.pl might be worth a try? ...
726
Greg Kelley
gwk1973
Aug 6, 2009 6:19 pm
Thanks. Just joined the group recently so I wasn't aware of that message. The URL in the e-mail and in the message goes to a page that isn't available. Just...
727
ntevidence@...
ntevidence
Aug 6, 2009 6:34 pm
Statically linking code will only get you so far. You will always have to rely on OS DLLs at some point since ultimately some OS DLL  provides the...
728
ntevidence@...
ntevidence
Aug 6, 2009 6:36 pm
Regedit. Export to text. Troy ... From: "Gary Funck" <gary@...> To: win4n6@yahoogroups.com Sent: Thursday, August 6, 2009 11:00:29 AM GMT -08:00...
729
Greg Kelley
gwk1973
Aug 6, 2009 6:42 pm
Ugh, how dumb of me to miss that. I usually play around with exporting to .reg. Didn't realize, until now, that export to text will provide the last written...
730
H C
keydet89
Aug 7, 2009 12:14 am
... The regtime.pl plugin for RegRipper, or the regtime.pl that is part of the SANS SIFT environment... h...
731
H C
keydet89
Aug 7, 2009 12:16 am
... ...which is why your toolkit should be on a CD... And with the methods I listed, one does not need to touch cmd.exe or any of it's dependent DLLs in order...
732
H C
keydet89
Aug 7, 2009 12:30 am
... Heavy effort? How so? Open the tool up in Dependency Walker... ... I think that there may be a benefit to NOT having "trusted" applications, per se. For...
Hi Mark, This tool will read the CurrentDatabase_360.wmdb file and allow you to view photo, video, music and playlist info. WMDB Extractor: ...
735
H C
keydet89
Aug 10, 2009 7:53 pm
Tim, ... Thanks for posting this...this and some of the other tools look very interesting... h...
736
Mark
stamblogs
Aug 11, 2009 1:55 pm
Hi Tim, Thanks for your feedback and the link to the extractor ! Mark...
737
H C
keydet89
Aug 11, 2009 7:55 pm
On Vista, the following keys contain information about connections: Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles Beneath this key are GUIDs, and...
738
H C
keydet89
Aug 12, 2009 3:14 pm
Okay, so there's no response to this...but I'm thinking that if the DateLastConnected value is modified each time the system connects to that WAP, then the...
739
Tim Coakley
timcoakley
Aug 12, 2009 3:28 pm
Hi, Ii'm on a XP machine, do you have an example/ Tim ... From: H C <keydet89@...> Subject: [win4n6] Re: Vista NetworkList\Profiles and date translation ...
740
H C
keydet89
Aug 12, 2009 5:51 pm
... I posted data.jpg in the Files section... HTH, h...
741
Tim Coakley
timcoakley
Aug 12, 2009 7:01 pm
Hi, Thanks, I don't have a date/time to compare against but it looks like (reading from left to right of your screenshot): year (2 bytes) month (2 bytes) ...
