More Deleted Keys Goodness!

Something to watch for...

While we're on the subject of the Registry, a good friend of mine contacted me last week with an issue. Apparently, he was working on an examination in which a key factor of the case was determining if and when the user had uninstalled Firefox. According to him, "...install and uninstall dates of programs are of great interest. This will also show destruction of evidence and add additional charges to cases. It also increases sentences sometime by 2x." To help him out, I wrote a plugin that would parse the default browser information from the Registry, but then I compiled the (as-yet-unreleased, still-private, not-even-in-beta) ripxp code, which he used, said that it worked like a champ!

Read more from Windows Incident Response