Friday, February 06, 2009


A couple of tools I've written have popped up on other blogs recently, so I thought I'd link to those blogs here...

Andrew Hoog posted a HOWTO on his eDiscovery blog, which illustrates how to extract metadata from Word doc files, on Linux systems. I really like Andrew's post for a number of reasons, not the least of which is that it highlights both something I wrote and Perl in the same post! But seriously...the format is great, and it's very comprehensive and easy to follow, particularly with respect to how to install the necessary Perl modules to get the script working properly. This script is included on the DVD that accompanies both the first and (soon-to-be-published) second editions of Windows Forensic Analysis. One of the interesting additions to the second edition of WFA is a case study of a time I used's sister script,, to further my analysis.

RegRipper made it into the SANS Forensic blog in a post by Keven Murphy. Keven's post illustrates how to run RegRipper (the GUI) under WINE, or you can use Daniele's modified version of to run that under Perl on Linux.

Just a couple of things that I'd like to mention in order to clarify Keven's post a bit...

First, he's right...RegRipper does use "pre-canned" plugins...just like Nessus. And just like Nessus, the plugins are essentially text-based, so anyone can (and has) open them, read them, modify them, or write their own plugins. In fact, Jason's even created a plugin generator!

Second, to update the plugins, just drop them into the plugins's that easy!

Thanks for the shout-out, Keven! Glad you like RegRipper, and I'd love to hear your thoughts for modification or improvement. Also, once the book's complete and into publication, I'll focusing my efforts on RegRipper v3!

Over on the RegRipper forums, a RegRipper user posted about how he'd used FTK Imager to extract all of the Administrator user hive files from the XP Restore Points into a directory called "restpts", and then used the following batch script to run a single plugin across all of the extracted hive files:

for /R restpts %i in (*) do rip -p typedurls -r "%i" >>typedurls.txt

This is a great way to do this kind of thing with what you have, but ripXP was designed to do this, and pulls out a bit more information, as well, in order to provide additional context to the information. I know what you're going to say, and you're right...ripXP is not publicly available as of yet...but that's a discussion for another time.


Anonymous said...

sir can you help i'm a newbie on computer forensics using encase. where can i find the system information such as the installed operating system (OEM, etc.) / Computer Name / Work Group / Network Adapter used (DHCPIPaddress, IPaddress, etc.)

Is there any logs where i can see these informations? thak you very much!

H. Carvey said...

That can all be found in the Registry, and extracted using RegRipper.