Advertisement
At the recent OSDFC, I presented on and announced the release of the Forensic Scanner. One of the reasons I wrote the Scanner (and this applies to RegRipper, as well) is that over the years of performing analysis, I've found that as I've maintained a checklist of things to "look for" during an exam, that checklist has grown, become a spreadsheet and continued to grow ... but no matter how well-organized the spreadsheet is, it's still a spreadsheet and doesn't help me perform those checks faster. If I have preconditions (something else that needs to be checked first) listed in the spreadsheet for a specific check, I have to go back into the image, do the initial check and then see if the conditions have been met to perform the check I have listed in that row in the spreadsheet.  Link: Windows Incident Response

Advertisement
Advertisement