tag:blogger.com,1999:blog-9518042.post7190248868961768964..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: When did a user's access change?Unknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-9518042.post-7390315439151981452006-10-09T10:47:00.000-05:002006-10-09T10:47:00.000-05:00Sorry so late just catching up. How about we take...Sorry so late just catching up. How about we take your offline registry parser one step further and have it read in all the registry files in the restore points then you can create a time line of certain registry keys. I have done this with a few mods to your perl script and the use of a sqlite database. I also have a program that will pull the data off the DB and sort it for the time line. The only problem is there is a lot of data to parse through so you would have to pare down the data that you were looking through like only the HKEY_LOCAL_MACHINE\SOFTWARE or HKEY_USERS\user\Software keys and save that to the db. Also it takes a while to process thru all the files if you do everything and you will also have a huge DB to search through.Anonymousnoreply@blogger.com