Wednesday, March 28, 2012

VSC Toolset Update

I've updated VSC Toolset with a couple of new features, including integrating some new scripts with it.  You can now choose a specific RegRipper plugin to run against one or more VSCs (specifying either the NTUSER.DAT hive or one of the hives in the config directory).  I've also incorporated link file parsing (thanks for Corey for the batch file and script) and the ability to run diff.exe against two shadow copies to see only the differences between the two.  Running diff against VSCs was one of my favorite features that Corey covered in his VSC series and I wanted to make a point to incorporate it in the GUI.  It's quite time consuming to do this, but it can be helpful if you're interested in exactly which files have changed between VSCs.  If you decide to run diff using VSC Toolset, the GUI will appear unresponsive while its running.  I will eventually need to make the app multi-threaded to avoid this, but I have confirmed that this command does work with VSC Toolset (at least in the test runs that I've completed).

One change I've made that will affect those deciding to extend VSC Toolset by writing their own batch files is that I've specified a directory called "~LinkedVSC" that is created in the root of the "C:\" drive to hold all symbolic links to VSCs.  The main reasoning for this is to enable a user to simply add this directory as evidence in another application such as FTK Imager if they are interested in taking a look at all linked VSCs.  I ran into the annoyance of having to add C:\vsc1, C:\vsc2, etc. to other applications individually instead of being able to add them all at the same time, so I created a directory to store all symbolic links to VSCs.  This doesn't make a huge difference in writing batch files for VSC Toolset, you'll just need to make sure you reference the symbolic link as "C:\~LinkedVSC\vsc%1" instead of "C:\vsc%1".

A couple of other minor improvements include not listing drive letters that do not make sense to list (non-local drives, etc.) and including the volume label beside the drive letter for easier identification.  Additionally, the second and third parameter text boxes and labels are only shown when applicable (and customized when shown).  For example, selecting "RegRipper-ntuser" from the command drop-down box displays a single text box labeled "User Name".  Selecting "RegRipper-plugin(config_dir)" displays two text boxes labeled "Hive Name" and "Plugin Name", respectively.  If a command does not require user-specified parameters, no text boxes are shown.  This will hopefully make it easier for those that may not be as familiar with running some of the commands that are integrated with VSC Toolset, but will likely just serve as a reminder for most.  Note that if a custom batch file is being used (one that is not currently integrated with VSC Toolset), both parameter text boxes will be displayed.

To take advantage of the LinkFiles.bat and Diff.bat scripts, you'll need to download the respective Perl script and executable.  You can download lslnk-directory-parse2.pl from the Win4n6 Yahoo Group under Files\Tools; you can download diff.exe from UnxUtils.  Both the Perl script and the executable will need to be in the same directory as the VSC Toolset executable.  Also, note that you will need ActiveState Perl or something similar to run the link file parsing command since it's a Perl script.  As with the previous version, you can simply copy all RegRipper files into the "regripper" folder that is included with the VSC Toolset download.  You can download the latest version of VSC Toolset here.  

2 comments:

  1. Hi Jason,

    the download link for the latest version https://www.sugarsync.com/pf/D7238600_4906322_67492?directDownload=true
    is unfortunately not longer available.
    Can you please renew it?

    Regards,
    SB

    ReplyDelete
    Replies
    1. Hi,

      The link should be available again, thanks for pointing that out.

      Delete