Sunday, April 19, 2009

Timeline - Sources

I saw an interesting Twitter from Rob Lee other day which led me to the MS site, where they said:

We plan to provide support for Windows XP until 2014.

Excellent.

I like this because a lot of the code that I've written specifically for Windows XP will continue to remain useful. Now, I'm sure that the code will still be useful beyond 2014...even now, responders still deal with NT 4.0 and Windows 2000 systems.

What I'm referring to is the ProDiscover ProScript code that I wrote and included on the DVD with the first edition of Windows Forensic Analysis. ProScript is Perl, which was implemented as the scripting language for ProDiscover...kind of neat idea, eh? Some of the ProScripts that I've written and still use allow you to parse through Restore Points, collecting data about each one. It's pretty easy to go back and update those scripts, based on the latest version of ProDiscover (we're up to 5.5 now), and add the necessary code to extract some of this data in the five field timeline format, and then incorporate the resulting data in your timeline.

Don't have ProDiscover? No problem. Take the same basic code, mount your image file using SmartMount, and use Perl to extract the same data from your mounted file system. Don't have SmartMount? You can use ImDisk, or you can use Linux, either on your own or through something like SIFT.

Why Perl? Don't really know about using Perl? Well, don't listen to me...take a look at what Mike Worman has to say about it.

No comments: