[Vol-users] searching registries

Mike Lambert dragonforen at hotmail.com
Tue May 15 20:31:17 CDT 2012


Hi Glenn,
 
I specifically need to search the registry files (disk forensics) extracted from compromised systems, not memory. I was looking for a free tool that non-forensic examiners (disk) could get for free. (Forensic examiners have tools, they just cost a lot.)
 
Thanks! I will look up Registry Decoder.
 
Have a good evening,
 
Mike 
 



Date: Tue, 15 May 2012 20:51:02 -0400
From: hiddenillusion at gmail.com
To: dragonforen at hotmail.com
CC: vol-users at volatilityfoundation.org
Subject: Re: [Vol-users] searching registries


Create a list of the keys/values you want to search and supply them to the 'Printkey' plugin (http://code.google.com/p/volatility/wiki/CommandReference#printkey)


Additionally, depending on what you're searching against you can use Autoruns and parse its contents or if you want a GUI search, try Registry Decoder.



-- 
Glenn P. Edwards Jr.
GREM, GCFA, GCIH


On Tuesday, May 15, 2012 at 6:38 PM, Mike Lambert wrote:



One thing we need to do is search the registries for the keys that autorun malware. 
 
Does anyone know of a free tool that will do that?  I'm currently using Encase to do that but it is and expensive solution.
 
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
 
Mike
 


_______________________________________________
Vol-users mailing list
Vol-users at volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120515/26d90e18/attachment.html


More information about the Vol-users mailing list