Thursday, June 03, 2010


Tool Updates
Paraben recently sent out an email about an updated version of their P2eXplorer tool being available. This is the product that allows you to mount acquired images for viewing, mounting a variety of images as physical disks.

ImDisk is available for 32- and 64-bit versions of Windows, including Windows 2008. I've got an idea for trying it out on Windows 7...we'll have to see how it works.

The TSK tools are up to version 3.1.2. Be sure to update your stuff.

There's a new issue of Hakin9 magazine's free now, which is kind of cool.

Matt posted about how he and Adam used RegRipper to create WindowsRipper. It's an interesting project and I have to say, I really like it when folks find ways to achieve their needs and get the tools to meet their goals, rather than the other way around. Great job, guys...I'm looking forward to seeing where this goes. Let me know what I can do to help.

Speaking of RegRipper, it appears that RegRipper is included in WinFE! Brett Shavers set up the WinFE site (he's also the guy who set up the RegRipper site), and the list of tools includes RegRipper!

I was interviewed last night by the guys from the Securabit podcast (episode 58). Thanks, guys, for a great time..."hanging out" on Skype with a bunch of former sailors...truly a dream come true! ;-) I enjoy having the opportunity to talk nerdy with folks, as forensics is not just a job, it's an adventure!

Check out Chris Pogue's "Sniper Forensics" interview on the CyberJungle podcast. It's episode 141, and the hosts start mentioning SANS (as a lead-in to Chris's interview) at about 58:26 into the podcast. Chris talked about his sniper forensics, as well as the 4-step Alexiou Principle that he uses as a basis for analysis. Chris will be giving his "Sniper Forensics" presentation at the SANS Forensic Summit in July.


Anonymous said...

Wow - a full page ad from Mr. Pump-and-Dump in hakin9 magazine.

Keydet89 said...


Anonymous said...

Gregory Evans - aka "Ligatt Security" who has been all over Twitter the past couple weeks. Apparently he is using the security world to pull off some stock scheme to pump the value of LGTT. Some security folks on Twitter were pretty animated about it. Suprised to see his ad on the inside cover!

Troy said...

Strictly speaking, Windows FE (not "WinFE" ever, per the lawyers) does not contain any non-Microsoft items. It would be more correct to say that one can add RegRipper, or other tools, to Windows FE. I know this may sound like I am being pedantic, but Windows FE is exists in the wild because I was allowed to discuss it in a public forum. If the forensic community is not careful with Microsoft IP, including trademarks, we could create an environment adverse to Microsoft. That would not be good for us.

Keydet89 said...


I hear you about the trademark issues.

On another note, how does one get help from MSFT in figuring stuff out? The bad guys figure this stuff out, and by the time the good guys see it, we're already several steps behind.

Troy said...

Harlan, I understand your frustration. It is not easy getting forensic related information out of Microsoft--it isn't easy in Microsoft. Leaving aside the intellectual property laws that tie Microsoft's and my hands, there are two other important reasons for the difficulty.

First, there is the depth of the SME pool. There is no one Microsoft know-it-all. The code base and knowledge is spread out over tens of thousands of developers. Finding the few with direct knowledge of a topic is an art.

Second, there is the problem that forensic knowledge can be misused by developers--in and out of Microsoft--to write code that bypasses APIs. NTFS is a good example. Every week seems to bring some new project whose developer wants to write code to underlying NTFS structures and by pass APIs. For the NTFS team, this is unacceptable, as it leads to broken applications and system crashes that wouldn't happen if the APIs had been used instead.

What forensic needs in addition to sound investigative methodologies are some sound forensic research methodologies. I will be talking about this at the DFRWS in August.

Keydet89 said...


Great comment. As to the investigative and research methodologies, I think that there are some out there...but they're out there, and not easily accessible.