Difference between pages "Fast Thunder" and "Regripper"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "'''Fast Thunder''' (aka Xunlei) is a download manager developed by Thunder Networking Technologies. == SuperDownload database == The '''SuperDownload datab...")
 
(RegRipper)
 
Line 1: Line 1:
'''Fast Thunder''' (aka Xunlei) is a [[Download manager|download manager]] developed by Thunder Networking Technologies.
+
== RegRipper ==
  
 +
RegRipper is an open source forensic software application developed by Harlan Carvey[[Harlan Carvey]].  RegRipper, written in Perl, is a [[Windows Registry]] data extraction tool.
  
== SuperDownload database ==
+
RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.
The '''SuperDownload database''' can be found at:
+
  
On Windows
+
== Technical Background and Forensic Soundness ==
<pre>
+
C:\Program Files\Thunder Network\Thunder\data\SdInfoDb.dat
+
</pre>
+
  
This file uses the [[SQLite database format]].
+
RegRipper uses James McFarlane’s Parse::Win32Registry module ([http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.40/]) to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.
  
The timestamp:
+
== Resources: ==
* SuperDownloadInfo.ContentDownloadTime is stored as BIGINT and contains a POSIX timestamp
+
* SuperDownloadResource.DownloadTime is stored as BIGINT and contains '''presumably''' a POSIX timestamp
+
  
== See Also ==
+
* RegRipper Blog [(http://www.regripper.wordpress.com)]
 
+
* RegRipper Original Code and supporting information [(http://code.google.com/p/winforensicaanalysis/)]
* [[SQLite database format]]
+
* RegRipper Supplemental Plugins [(http://code.google.com/p/regripperplugins/)]
 
+
* Developers blog (Windows Incident Response) [(http://windowsir.blogspot.com/)]
== External Links ==
+
* [http://en.wikipedia.org/wiki/Xunlei Wikipedia article on Fast Thunder (Xunlei)]
+
 
+
[[Category:Applications]]
+
[[Category:Download Managers]]
+

Revision as of 13:22, 17 July 2012

RegRipper

RegRipper is an open source forensic software application developed by Harlan CarveyHarlan Carvey. RegRipper, written in Perl, is a Windows Registry data extraction tool.

RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.

Technical Background and Forensic Soundness

RegRipper uses James McFarlane’s Parse::Win32Registry module ([1]) to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand. Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Resources: