Pages

Thursday, April 26, 2018

Updated samparse pl plugin

Updated samparse pl plugin


I received an email from randomaccess last night, and got a look at it this morning.  In the email, he pointed out there there had been some changes to the SAM Registry hive as of Windows 8/8.1, apparently due to the ability to log into the system using an MSDN Live account.  Several new values seem to be added to the user RID key, specifically, GivenName, SurName, and InternetUserName.  He provided a sample SAM hive and an explanation of what he was looking for, and I was able to update the samparse.pl plugin, send him a copy, and update the GitHub repository, all in pretty short order.

This is a great example of what Ive said time and again since I released RegRipper; if you need a plugin and dont feel that you can create or update one yourself, all you need to do is provide a concise description of what youre looking for, and some sample data.  Its that easy, and Ive always been able to turn a new or updated plugin around pretty quickly.

Now, I know some folks are hesitant to share data/hive files with me, for fear of exposure.  I know people are afraid to share information for fear it will end up in my blog, and I have actually had someone tell me recently that they were hesitant to share something with me because they thought I would take the information and write a new book around it.  Folks, if you take a close look at the blog and books, I dont expose data in either one.  Ive received hive files from two members of law enforcement, one of whom shared hive files from a Windows phone.  Thats right...law enforcement.  And I havent exposed, nor have I shared any of that data.  Just sayin...

Interestingly enough, randomaccess also asked in his email if Id "updated the samparse plugin for the latest book", which was kind of an interesting question.  The short answer is "no", I dont generally update plugins only when Im releasing a new book.  If youve followed this blog, youre aware that plugins get created or updated all the time, without a new book being released.  The more extensive response is that I simply havent seen a SAM hive myself that contains the information in question, nor has anyone provided a hive that I could used to update and test the plugin, until now.

And yes, the second edition of Windows Registry Forensics is due to hit the shelves in April, 2016.

visit link download

Related Post

Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)