[sleuthkit-developers] timeline of windows registry

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Two questions and some answers ;-)
1.) Do someone know good tools to generate a timeline of
    the windows registry?
2.) Make a change of the timeline-format sense?

timeline of windows registry:
=============================

I'm trying to correlate the mac-timeline with the registry timeline. 

I searched in the mailing-archives and find only in "sleuthkit--developers"
some ideas about "Registry Viewing Tools (not yet public)" and the samba
project.

I the past I used dumpreg to get a registry copy with timestamps.
But this was not so useful.

Today I generate Registry timelines with
- Import files with Regedit on WinXP,
  (Here one big problem, the ACL of the imported SAM- and SECURITY-HIVE
   must be changed, so the timestamp of SAM, SECURITY, SECURITY\Cache,
   SECURITY\Policy and SECURITY\RXACT will be overridden)
- Total Commander with Registry Plugin to export registry with timestamps
  http://www.ghisler.com/ and http://www.totalcmd.net/plugring/registry.html
- the plugin exports the timestamps of the hives to a TXT file.
  (also all keys and most of the values as ASCII or UNICODE)
- grep and sort make the rest 

The way via Windows, Admin-Rights, Registry, Total-Commander,
Registry-Plugin looks not very respectably.
Does a read-only and open-source windows-registry-timelinie tool exist?

The other point is the format of the timeline:
==============================================
I prefer to use a sort and grep-able time format like the one of the
registry timeline plugin:
2004/04/05,10:57:26,HKEY_USERS\software_forensic_case\Adobe\Acrobat
Reader\5.0\Language\next 

But the sleuthkit tool mactime produce the following format:
Tue Jul 11 1995 16:50:00   33792 m.. -/--wx-wx-wx ... 279-128-3 d:\abc.EXE
                             831 m.. -/--wx-wx-wx ... 280-128-3 d:\abc.TXT
Wed Mar 27 1996 21:59:10     585 m.. -/--wx-wx-wx ... 689-128-1 d:\abc.H

Yes I know the switches -d -y of the mactime tool. But the month as text
is not the best idea for merging and sorting.

I use the following patch:
/opt/sleuthkit/src/timeline> diff mactime.bas mactime.base.org
416c416
< 			  "$yeart/$mon/$mday,$hour:$min:$sec";
---
> 			  "$yeart $digit_to_month{$mon} $mday $digit_to_day{$wday}
$hour:$min:$sec"; 

Is there a chance to change the code of the sleuthkit in this way?
Or instead of - is it possible to insert an additional switch for this
format?

Regards,
   Uwe.

-- 
"The greatest of all faults is to be conscious of none" Thomas 
Carlyle
Please use PGP - my PGP-key-ID: 0x0FD36935 (2048 Bit)
PGP-fingerprint: C9A6 0E4A 9EC5 FF24 4FF8 6BE5 1E02 1C74
key-server: http://the.earth.li/pgp_lookup.html

+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION für Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben