tag:blogger.com,1999:blog-1466903740262764947.post3107074048852153984..comments2023-12-28T03:01:49.774-06:00Comments on Hacking Exposed Computer Forensics Blog: What did they take when they left? Part 2 – Finding out what they ran before they leftDavid Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1466903740262764947.post-80681661891454621662009-07-10T13:01:03.535-05:002009-07-10T13:01:03.535-05:00I really liked this post. very helpful and underst...I really liked this post. very helpful and understandable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-78895746065632420812009-07-07T21:31:40.082-05:002009-07-07T21:31:40.082-05:00Great post! Nothing is better than seeing some rea...Great post! Nothing is better than seeing some real content on the internet. Keep up the good work you should be proud. Most people do not know about the PreFetch folder in Windows! I touched basis on it on my blog in my windows tweak section. You should check out my <a href="http://systembypass.com" rel="nofollow">Computer Hacking Blog</a> when you have the chance. I have favorited this blog because I am looking forward to reading more great posts in the near future. Dont stop, knowledge is power.Sergio Medeiroshttp://systembypass.comnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-52458671947654128472009-03-30T10:03:00.000-05:002009-03-30T10:03:00.000-05:00This is excellent information. Im looking forward ...This is excellent information. Im looking forward to part 3 as this is what all my legal folks want to know. "What did they take, and where did it go?"Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-30849755459865422002009-03-27T11:11:00.000-05:002009-03-27T11:11:00.000-05:00You know Harvey, H(arlan C)arvey, everyone is abbr...You know Harvey, H(arlan C)arvey, everyone is abbreviating these days. <BR/><BR/>Not really, I messed up but atleast I could find a good excuse. Thanks for the mention on your blog looking forward to your second edition.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-67026036599773322802009-03-27T06:24:00.000-05:002009-03-27T06:24:00.000-05:00UserAssist entries can be extremely useful, partic...UserAssist entries can be extremely useful, particularly in determining the use of CD Burning functionality. Look for the use of a CD/DVD burning application, such as Sonic, Nero, or whatever is installed. Remember that on XP systems in particular, if a driver is installed when a burner application is installed, a System Restore Point will be created, and that can help you with your timeline information.<BR/><BR/>Speaking of Restore Points, I have a variant of RegRipper that I call "ripXP" that I use to run RegRipper plugins across Restore Points automatically, giving me a historic view of the Registry entries. Very nice to have in a number of cases.<BR/><BR/>Back to CD burning...RegRipper includes a plugin for extracting MRU information from the Registry with respect to the CD/DVD burning application GUI. By default, the only entries that I've seen here have been ISO files (Helix, Linux distros, etc.), but it still shows usage. As these files are accessed through the shell, in many instances, you will also find references to them in the user's RecentDocs subkey entries.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-39695367778186154972009-03-27T06:18:00.000-05:002009-03-27T06:18:00.000-05:00Harvey? Who's "Harvey"?Harvey? Who's "Harvey"?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-82182855969427026882009-03-26T11:13:00.000-05:002009-03-26T11:13:00.000-05:00Hi Harvey, I really should have included ...Hi Harvey,<BR/> I really should have included regripper here, I've been using it lately instead of registry viewer for exactly this purpose. When I move into the next post where I detail more registry locations to view I will make sure to do so. Thanks for the tool btw, very handy.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-10668425244444603952009-03-26T11:10:00.000-05:002009-03-26T11:10:00.000-05:00RegRipper extracts this information quickly and ef...RegRipper extracts this information quickly and efficiently, as well. In fact, I am using rip and the useassist plugin on a current engagement, and I didn't find what I was looking for (ie, running a particular app). I knew that the app was installed due to the existence of a specific keyword in one of the Uninstall key entries (extracted from the Software hive file via RegRipper). I then ran the TypedURLs plugin across the 13 NTUSER.DAT files that I had extracted from the image, and narrowed the specific activity to two accounts. Now it's on to Pasco (after using ProDiscover's Find Internet Histroy function) to get the information I need in a reportable format.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-12510748697856358402009-03-26T05:14:00.000-05:002009-03-26T05:14:00.000-05:00Really good post, looking forward to part 3.Really good post, looking forward to part 3.Anonymoushttps://www.blogger.com/profile/14647926680748758089noreply@blogger.com