tag:blogger.com,1999:blog-9518042.post7987807404992476168..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Using RegRipperUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-46566163449866349642008-12-26T07:28:00.000-05:002008-12-26T07:28:00.000-05:00To be clear, RegRipper is included, but regtime.pl...To be clear, RegRipper is included, but regtime.pl is/maybe a separate script all together. A while back I provided Rob Lee w/ a copy of regtime.pl, and he may have modified it to output the data in TSK body file format; this would be similar to Michael Cloppert's ex-tip tool.<BR/><BR/>Again, I don't think that the regtime.pl that Rob has added to SIFT is part of RegRipper.<BR/><BR/>Including Event Log entries is pretty trivial, given a good deal of the code that's out there...I guess my question would be, does the Event Log format necessarily and easily follow the Dr. Carrier's body file format?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-48092586025328067662008-12-26T07:19:00.000-05:002008-12-26T07:19:00.000-05:00SIFT v1.2 was just released... It includes RegRip...<A HREF="http://sansforensics.wordpress.com/2008/12/24/happy-holidays-sans-sift-workstation-version-12-released/" REL="nofollow">SIFT v1.2</A> was just released... It includes RegRipper perl scripts, which now supports integrating registry data with the TSK's body file for timeline analysis. I think that's pretty cool. Now I'd just like to see an easy way to also include the Event Logs in that timeline.Anonymousnoreply@blogger.com