TOOLS: RegLookup and GrokEVT Mar 29 2007 12:23PM
Tim (tim-forensics sentinelchicken org)

I just released new versions of these tools, and thought some of you
might be interested.

RegLookup[1] allows one to dump a Windows (NT+) registry from Unix
systems. It also supports some limited querying based on path and data
type, and can output useful metainformation such as key mtimes and ACLs.
It is specifically designed for scripting, with an easily parsable
CSV-like output format. It is written in C and is licensed under the

GrokEVT[2] allows one to interpret Windows event logs from Unix systems.
Unlike any other open source event log tool (that I know of, correct me
if I'm wrong), it is able to combine log message templates with event
log data to produce human-readable output. (Equivalent to what one
would get out of the event viewer in Windows.) Logs are also output in
an easily parsable CSV-like format. It is written in Python and is also
licensed under the GPL.

These tools are designed with forensic analysis in mind, and should be
relatively easy to check for accuracy. Please let me know if you try
these out and run into any problems.




[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus