Windows Prefetch Files:
WinPrefetchView :
is a small utility that reads the Prefetch files stored
in your system and display the information stored in them.
By looking in these files, you can learn which files every application
is using, and which files are loaded on Windows boot.
WinPrefetchView doesn't require any installation process or additional
DLL files. In order to start using it, simply run the executable file -
WinPrefetchView.exe
The main window of WinPrefetchView contains 2 panes: The upper pane
displays the list of all Prefetch files in your system.
When you select a file in the upper pane, the lower pane displays the
list of files stored inside the selected Prefetch file, which represent
the files that were loaded by the application in the previous times that
you used it.
These is also special Prefetch file, with 'NTOSBOOT-B00DFAAD.pf'
filename, which can show you the list of files that are loaded during
Windows boot process.
WinPrefetchView also allows you to delete the selected Prefetch files.
However, be aware that even when your delete a Prefetch file, it'll be created again by the operating system when
you run the same program again.
Download Link :
http://www.nirsoft.net/utils/winprefetchview.zip
Windows Registry Hives:
RegRipper:
is an open source tool, written in Perl, for extracting/parsing
information (keys, values, data) from the Registry and presenting it for
analysis.
RegRipper consists of two basic tools, both of which provide similar capability. The
RegRipper
GUI allows the analyst to select a hive to parse, an output file for
the results, and a profile (list of plugins) to run against the hive.
When the analyst launches the tool against the hive, the results go to
the file that the analyst designated. If the analyst chooses to parse
the System hive, they might also choose to send the results to
system.txt.
The GUI tool will also create a log of it's activity in the same
directory as the output file, using the same file name but using the
.log extension (i.e., if the output is written to
system.txt, the log will be written to
system.log).
RegRipper also includes a command line (CLI) tool called
rip.
Rip can be pointed against to a hive and can run either a profile (a
list of plugins) or an individual plugin against that hive, with the
results being sent to STDOUT. Rip can be included in batch files, using
the redirection operators to send the output to a file. Rip does not
write a log of it's activity.
RegRipper
is similar to tools such as Nessus, in that the application itself is
simply an engine that runs plugins. The plugins are individual Perl
scripts that each perform a specific function. Plugins can locate
specific keys, and list all subkeys, as well as values and data, or they
can locate specific values. Plugins are extremely valuable in the
sense that they can be written to parse data in a manner that is useful
to individual analysts.
Note: Plugins also serve as a means of retaining
corporate knowledge,
in that an analyst finds something, creates a plugin, and adds that
plugin to a repository that other analysts can access. When the plugin
is shared, this has the effect of being a
force multiplier, in
that all analysts know have access to the knowledge and experience of
one analyst. In addition, plugins remain long after analysts leave an
organization, allowing for retention of knowledge.
Download Link :
http://code.google.com/p/regripper/downloads/list
Auto_rip:
auto_rip is a wrapper script for RegRipper. The script automates
the execution of the RegRipper plug-ins according to the categories below:
all gets information from all categories
os gets General Operating System Information
users gets User Account Information
software gets Installed Software Information
network gets Networking Configuration Information
storage gets Storage Information
execution gets Program Execution Information
autoruns gets Autostart Locations Information
log gets Logging Information
web gets Web Browsing Information
user_config gets User Account Configuration Information
user_act gets User Account General Activity
user_network gets User Account Network Activity
user_file gets User Account File/Folder Access Activity
user_virtual gets User Account Virtualization Access Activity
comm gets Communication Software Information
SHA1 Checksum:
55828924ce01190b5e4c292c3fb979b3b5b12c88
Download Link : http://regripper.googlecode.com/files/auto_rip-5-16-2013.zip
NTFS Artifacts
AnalyzeMFT
analyzeMFT.py is designed to fully parse the MFT file from an NTFS
filesystem and present the results as accurately as possible in multiple formats.
Documentation : http://grayscale-research.org/new/pdfs/NTFS%20forensics.pdf
Download Link : https://github.com/dkovar/analyzeMFT
Windows Journal Parser (jp) :
jp is a command line tool that targets NTFS change log journals.
The change journal is a component of NTFS that will, when enabled, record changes
made to files. The change journal is located in the $UsnJrnl MFT entry, and
the journal entries are located in the alternate data stream $J. Each entry
is of variable size and its internal structure is documented in the MSDN.
The change journal will record amongst other things: (a) time of the change,
(b) affected file/directory, (c) change type - delete, rename, size extend, etc,
and therefore makes a useful tool when looking at a computer forensically.
