Tag: Computer Forensics

BackBox Linux

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/17/backbox-linux/


UserAssist keys are method that Microsoft uses to populate a user’s start menu with frequently used applications. They exist on Windows XP, Vista, and 7 and maintain counts of application usage. These values are located in each user’s NTUSER.DAT hive at SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist and are ROT-13 encoded. Features Extracts SID, User Names, Indexes, Application Names, Run …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/12/userassistant/

USB Historian

Parse USB Connection History The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry. For a forensic investigator dealing with the theft, movement, or access …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/usb-historian/


USBDeviceForensics is an application to extract numerous bits of information regarding USB devices. It uses the information from a SANS blog posting to retrieve operating system specific information. It now has the ability to process multiple NTUSER.dat registry hives in one go. It should be noted that whilst the information in the blog posting is …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/usbdeviceforensics/

Windows ShellBag Parser (sbag)

sbag is a Windows registry parser that targets the Shellbag subkeys to pull useful directory and file artifacts to help identify user activity. There are binaries available for Windows, Linux and Mac OS-X. The Windows version allows one to parse hives resident from a live system. As background, the ShellBag information is a set of …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/windows-shellbag-parser-sbag/


Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one – done after doing system changes or installing a new software product. http://sourceforge.net/projects/regshot/

Permanent link to this article: http://www.darknessgate.com/2014/11/11/regshot/

Registry Decoder

Accurate, efficient analysis of the Windows registry Registry Decoder provides a single tool in which to perform browsing, searching, analysis, and reporting of registry hive contents. All functionality is exposed through an intuitive GUI interface and accommodates even novice investigators. Registry Decoder also acts as a great resource for new research and experimenting within the …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/registry-decoder/


ForensicUserInfo will extract the following information: RID Login Name Name Description User Comment LM Hash NT Hash Last Login Date Password Reset Date Account Expiry Date Login Fail Date Login Count Failed Logins Profile Path Groups http://www.woanware.co.uk/forensics/forensicuserinfo.html

Permanent link to this article: http://www.darknessgate.com/2014/11/11/forensicuserinfo/

Volatility Interface & Extensions

This project aims to develop a software to extend the use and simplify the handling of the Volatility Framework . Objectives of VOLIX: Simplify the handling of Volatility Provide a more intuitive GUI handling Reduce complex command sequences to a single click Improving usability Increase analysis speed (no tedious typing of commands) Make comparison and correlation of results easier Offer assistance / examples Provide new functions Automated search for malware and analysis of the findings by VirusTotal Detecting of hidden …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/volatility-interface-extensions/


MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server. Download MDD

Permanent link to this article: http://www.darknessgate.com/2014/11/10/mdd/

Permanent link to this article: http://www.darknessgate.com/2014/11/06/exiv2/