Forensic Review with Notepad++

Grandad's text editor
For those of you using a Windows workstation for digital forensics, you've most likely found a better text editor than notepad. A good text editor can help make short work of parsing log files or RegRipper reports from Autopsy. If you haven't found one yet or are looking to make a change, I highly recommend Notepad++. It's much more useful right out of the box than what you're likely to find shipping natively with Windows. Adding the Plugin Manager makes it very extensible, but there's a caveat...

The Plugin Manager is itself a third party plugin and used to be included with the 32-bit version of Notepad++. Many who jumped on-board the 64-bit version when it was first released were a bit disappointed that it didn't come with a plugin manager at all. The inclusion never happened as far as I'm aware, however, and it has even been removed from the 32-bit version. Don't worry as there's nothing wrong with Program Manager and it's still a well maintained plugin. The issue had to do with included advertising. The company that provides support to many of the existing plugins wanted a small ad at the bottom of Plugin Manager as a way to potentially generate revenue and help offset costs. No real problem there as most of us who use tools that are either freeware or Free and Open Source Software (FOSS) are interested in supporting the hands that feed us. Notepad++ is very proudly FOSS and the maintainers seemed to feel they might be sending mixed messages. Then again, maybe it was due to some sort of fight between the two camps and nothing to do with the advertising since they're both FOSS projects. I don't know for certain and it's not really material to our purposes here. What matters at the moment is getting Plugin Manager installed and working, then adding some plugins that I've found to be useful during forensic exams and analysis.

Notepad++ and Plugin Manager can be obtained from the links provided in the first paragraph. Be sure to go to the Notepad++ Downloads page to determine which download you're most interested in. Usually one of the EXE installers will be it. If you have an AMD64 machine and a 64-bit version of Windows, which is most every computer, I recommend the 64-bit EXE installer. The catch here is that plugins must be written for a 64-bit platform as well in order to be available if you go that route. There are fewer 64-bit plugins available as of this writing than 32-bit plugins, but that will surely change as time goes on. Make the installation as you normally would.

CAUTION: I proceed here under the assumption that you're a digital forensic examiner with an A+ sysadmin-level of expertise when it comes to installing software on your workstation. Regardless, make sure you're comfortable maintaining a Windows-powered machine at least at a "power user" level before going any further.

With Notepad++ installed and fully updated, go to the Plugin Manager tab for releases on GitHub and download whichever is appropriate for your installation. I recommend the latest version for best results. From here on out, I'll assume you're using Windows 10 64-bit. You'll find the installation directory under "C:\Program Files\Notepad++\". Unpack the Plugin Manager ZIP file you downloaded from GitHub, then open the resulting folder titled "PluginManager_v1.4.11_x64" or whatever version number you selected. Inside this directory are two subdirectories with one file each - "plugins\PluginManager.dll" and "updater\gpup.exe". Copy "PluginManager.dll" to "C:\Program Files\Notepad++\plugins" and copy "gpup.exe" to "C:\Program Files\Notepad++\updater". You'll have to accept a few UAC dialogs and may need to click them for more information in order to see the acceptance button. This is especially important because if any part of this install isn't allowed, none of it will work. Be prepared to make similar choices when new plugins are added.

Once everything is in place, launch Notepad++ (or relaunch it if it was open already). The new Plugin Manager can be found in the main menu under "Plugins > Plugin Manager". Running this brings up the dialog to add, remove, or update plugins. I've added an illustration here of my installed plugins, many of which I use forensically. Each plugin listed in Plugin Manager has a brief description of what it does when highlighted. Installation of plugins from this point will be automated, but again, expect Windows UAC dialogs you'll have to accept in order to complete each installation. Beyond that, find each plugin under the Plugins main menu entry and explore the options and settings. DSpellCheck, which comes bundled with Notepad++, doesn't check spelling automatically and this option must be checked in order to take advantage of it. The main settings for Notepad++ may need some tweaking as well. For example, I don't use it for writing code generally, so I turn off Auto-Completion under "Settings > Preferences..." to save myself from being annoyed when Notepad++ automatically closes parentheses or quotes each time I type one.

Recommended Plugins
If you decide you like these tools and find them useful in your work, consider supporting the projects either by contributing code or something else. For example, here's Notepad++'s  donation page. As a matter of disclaimer, I'm not affiliated with either project.

Comments

Popular posts from this blog

A Thank You to the Pioneers

A New Live Triage Tool Taking Shape, Part 2