The following are a few useful scripts that I have written to help me with different things. Perl files have been uploaded as text files. Use “Save As” and save to a file with the “.pl” extension.
RegRipper Plugins:
- regtln.pl
- Generates a TSK bodyfile from any Windows registry hive
- Last Update: 1/31/2010
- sha1sum: 2d3a2a33c66d5f5c32e287186a28adc1b02c1f8e
- crashdump.pl
- System crash dump configuration from System Hive
- Last Update: ~9/1/2009
- sha1sum: a940a0be7536ca4553fba50d1b4278f5a8841869
- drwatson.pl
- Dr. Watson configuration information from Software Hive
- Last Update: ~9/1/2009
- sha1sum: e3f11fd2fc09457a0f52f869a6d5f57a22e25c0c
- eventlogs.pl
- Window Event Log configuration from System Hive – contains configured hostname
- Last Update: ~9/1/2009
- sha1sum: da6d0d69c8ead282af103b959587e41e280b2858
Registry Tools:
- regdetect.zip
- Scans specified registry files for specific keys, as configured in the regdetect.ini file, and generates and output file containing specifics about the key detected. Includes regdetect.pl and regdetect.exe.
- Last Update: 9/28/2009
- sha1sum: 6b0f08e8a4402df6f13262c8ca57aeb8ad319367
EnScripts:
- BodyFile.EnScript
- Generates a TSK bodyfile from images mounted in EnCase (file times are NOT epoch)
- Last Update: 12/23/2009
- sha1sum: 6708f47554b617644d4d5ec40643525da7163a3d
- TLNFile.EnScript
- Generates a TLN file from images mounted in EnCase
- Last Update: 12/23/2009
- sha1sum: c1c26b6134ca72f8ff8789f95467c779a96ff2f1
- PrefetchFolderAnalysis2.EnScript
- Generates a TLN file from PreFetch files in EnCase. Developed by Kelcey Tietjen (see comments) and updated here.
- Last Update: 1/31/2010
- sha1sum: 3ADB80AD3E1E925E74A837FEA3E164D5B990FC53
Event Log Tools:
- evtparse.pl
- Parses event logs and outputs them in a user selected format. Developed by Harlan Carvey and updated here.
- Last Update: 1/31/20010
- sha1sum: 5d7980b45b50932c018e75b18ae4578e922a5e74