I specifically need to search the registry files (disk forensics) extracted from compromised systems, not memory. I was looking for a free tool that non-forensic examiners (disk) could get for free. (Forensic examiners have tools, they just cost a lot.)
Date: Tue, 15 May 2012 20:51:02 -0400
From: hiddenillusion@gmail.com
To: dragonforen@hotmail.com
CC: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] searching registries
Create a list of the keys/values you want to search and supply them to the 'Printkey' plugin (http://code.google.com/p/volatility/wiki/CommandReference#printkey)
Additionally, depending on what you're searching against you can use Autoruns and parse its contents or if you want a GUI search, try Registry Decoder.
--
Glenn P. Edwards Jr.
GREM, GCFA, GCIH
On Tuesday, May 15, 2012 at 6:38 PM, Mike Lambert wrote:
One thing we need to do is search the registries for the keys that autorun malware.
Does anyone know of a free tool that will do that? I'm currently using Encase to do that but it is and expensive solution.
Harlan's RegRipper will dump some registry entries and sometimes it works, but it does not search.
Mike
_______________________________________________
Vol-users mailing list