Many folks using the RegRipper tools may not be aware that you can use rip.exe to determine information about the plugins that you have currently have available. For example, the following command will allow you to see all the plugins that you have, listed in a tabular format:
rip -l
This next command will allow you to see all of the plugins you have, listed in CSV format:
rip -l -c
This command will let you see all of the plugins that end in "*_tln", in CSV format:
rip -l -c | find "_tln"
Now that we have a list of the plugins that provide TLN output, we can easily include the output of the plugin in our timeline events file by using the following command:
rip -r path
An example of how this can be useful is in adding the UserAssist data for a specific user to the timeline events file...you can do that using the following command:
rip -r path
Very easy, very straightforward, and the use of these plugins can provide us with a good deal of granularity in our timeline.
Something that's very important to understand about the TLN plugins is that, in most cases, they will not display the same information as their accompanying plugin without "_tln" in the name. In many cases, the information maintained in the keys and values extracted via the plugins is stored in a "most recently used" or "MRU" format, and as such, the LastWrite time of the key is associated with the most recent entry. An example of this is the shellbags_tln.pl plugin...running this one side-by-side with the shellbags.pl plugin won't provide you with the same information, nor the same number of lines in the output. However, this is by design...shellbag data is one of those "MRU" sources within the Registry. One exception to this is the output of the userassist_tln.pl plugin; the time stamp data extracted by this plugin is stored in the binary content of the value data.
Typing the command to list the *_tln plugins will illustrate that most of the plugins appear to be oriented toward the NTUSER.DAT and Software hives. The shellbags_tln.pl plugin was written to run against the USRCLASS.DAT hive, and lists its output based on the key LastWrite time or "MRU Time"; it does not list information in TLN format based on the created, last accessed or last modified times extracted from the shell items. The samparse_tln.pl plugin will list information in TLN format based on various time stamps associated with each user account. Also, with this plugin, you don't need to add the "-u" switch, as the user information is embedded within the hive file itself.
No comments:
Post a Comment