Difference between pages "RegXML" and "Windows Media Player Database Extractor"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
m (Created page with '{{Infobox_Software | name = Windows Media Player Database Extractor (.wmdb) | maintainer = Simple Carver Suite | os = {{Windows}} | genre = {{Analysis}} | license = {{C…')
 
Line 1: Line 1:
RegXML is a Windows command-line utility that exports sections of the Windows Registry as XML-formatted files.
+
{{Infobox_Software |
 +
  name = Windows Media Player Database Extractor (.wmdb) |
 +
  maintainer = Simple Carver Suite |
 +
  os = {{Windows}} |
 +
  genre = {{Analysis}} |
 +
  license = {{Commercial}} |
 +
  website = [http://www.simplecarver.com/tool.php?toolname=WMDB%20Extractor http://www.simplecarver.com/] |
 +
}}
  
The [https://github.com/ajnelson/regxml_extractor RegXML Extractor] will generate RegXML from a Microsoft Registry hive.
+
The '''Windows Media Player Database Extractor (.wmdb)''' is a commercial [[analysis]] tool, part of the Simple Carver Suite of tools.
==Sample XML==
+
 +
Windows Media Player Database Extractor (.wmdb) is a tool designed to view and extract information contained within the Microsoft Windows Media player data file typically titled as CurrentDatabase_360.wmdb. The CurrentDatabase_360.wmdb file can contain file name, file properties, music, video, photo and playlist information.
  
This RegXML is a sample of the System hive from the [http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario M57-Patents scenario], image Charlie 2009-11-16.
+
Useful for use in forensic examinations as forensic software or by data recovery technicians. All extracted information from the Windows Media Player CurrentDatabase_360.wmdb file is saved and presented as csv, text or html report formats.
 
+
<pre>
+
<?xml version="1.0" encoding="UTF-8"?>
+
<hive>
+
  <mtime>2009-11-17T00:33:57Z</mtime>
+
  <node name="$$$PROTO.HIV" root="1">
+
    <mtime>2009-11-13T04:47:33Z</mtime>
+
    <byte_runs>
+
      <byte_run file_offset="4128" len="92"/>
+
    </byte_runs>
+
    <node name="ControlSet002">
+
      <mtime>2009-11-09T01:26:39Z</mtime>
+
      <byte_runs>
+
        <byte_run file_offset="1480856" len="93"/>
+
      </byte_runs>
+
      <node name="Control">
+
        <mtime>2009-11-13T04:48:01Z</mtime>
+
        <byte_runs>
+
          <byte_run file_offset="1481240" len="87"/>
+
        </byte_runs>
+
        <value type="string" key="WaitToKillServiceTimeout" value="20000">
+
          <byte_runs>
+
            <byte_run file_offset="1481328" len="48"/>
+
            <byte_run file_offset="13448" len="16"/>
+
          </byte_runs>
+
        </value>
+
        <value type="string" key="SystemStartOptions" value="NOEXECUTE=OPTIN  FASTDETECT">
+
          <byte_runs>
+
            <byte_run file_offset="1481464" len="42"/>
+
            <byte_run file_offset="3006752" len="60"/>
+
          </byte_runs>
+
        </value>
+
        <value type="string" key="SystemBootDevice" value="multi(0)disk(0)rdisk(0)partition(1)">
+
          <byte_runs>
+
            <byte_run file_offset="3006856" len="40"/>
+
            <byte_run file_offset="3206056" len="76"/>
+
          </byte_runs>
+
        </value>
+
        <node name="Windows">
+
          <mtime>2009-11-13T03:08:00Z</mtime>
+
          <byte_runs>
+
            <byte_run file_offset="2355232" len="87"/>
+
          </byte_runs>
+
          <value type="expand" key="SystemDirectory" value="%SystemRoot%\system32">
+
            <byte_runs>
+
              <byte_run file_offset="2355368" len="39"/>
+
              <byte_run file_offset="3111128" len="48"/>
+
            </byte_runs>
+
          </value>
+
          <value type="binary" encoding="base64" key="ShutdownTime" value="RDGhgQ5kygE=">
+
            <byte_runs>
+
              <byte_run file_offset="3203784" len="36"/>
+
              <byte_run file_offset="1481592" len="12"/>
+
            </byte_runs>
+
          </value>
+
        </node>
+
        <node name="WOW">
+
          <mtime>2009-11-09T01:22:59Z</mtime>
+
          <byte_runs>
+
            <byte_run file_offset="2359096" len="83"/>
+
          </byte_runs>
+
          <value type="expand" key="cmdline" value="%SystemRoot%\system32\ntvdm.exe">
+
            <byte_runs>
+
              <byte_run file_offset="2358720" len="31"/>
+
              <byte_run file_offset="2359184" len="68"/>
+
            </byte_runs>
+
          </value>
+
          <value type="string" key="KnownDLLs" value="comm.drv commdlg.dll ctl3dv2.dll ddeml.dll
+
keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll
+
sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll
+
winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll
+
ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv
+
progman.exe avicap.dll mapi.dll">
+
            <byte_runs>
+
              <byte_run file_offset="2359256" len="33"/>
+
              <byte_run file_offset="2361648" len="904"/>
+
            </byte_runs>
+
          </value>
+
        </node>
+
      </node>
+
    </node>
+
  </node>
+
</hive>
+
</pre>
+
 
+
==See Also==
+
 
+
Disambiguation: RegXML is the name of a program released on Softpedia.  It is also the name of an XML format described by Nelson. These are completely separate efforts.
+
 
+
* [http://www.softpedia.com/get/Tweak/Registry-Tweak/RegXML.shtml Download from Softpedia]
+
* A. Nelson, “RegXML: XML conversion of the Windows Registry for forensic processing and distribution,” in Advances in Digital Forensics VIII, to appear, ser. IFIP Advances in Information and Communication Technology, K.-P. Chow and S. Shenoi, Eds. Springer, 2012. (To appear Summer, 2012.)
+

Latest revision as of 10:15, 24 November 2009

Windows Media Player Database Extractor (.wmdb)
Maintainer: Simple Carver Suite
OS: Windows
Genre: Analysis
License: Commercial
Website: http://www.simplecarver.com/

The Windows Media Player Database Extractor (.wmdb) is a commercial analysis tool, part of the Simple Carver Suite of tools.

Windows Media Player Database Extractor (.wmdb) is a tool designed to view and extract information contained within the Microsoft Windows Media player data file typically titled as CurrentDatabase_360.wmdb. The CurrentDatabase_360.wmdb file can contain file name, file properties, music, video, photo and playlist information.

Useful for use in forensic examinations as forensic software or by data recovery technicians. All extracted information from the Windows Media Player CurrentDatabase_360.wmdb file is saved and presented as csv, text or html report formats.

Retrieved from "http://www.forensicswiki.org/w/index.php?title=RegXML&oldid=9957"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox