RE: [sleuthkit-users] Win98 registry
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Win98 registry
|
From: Schmitt, B. <ben...@td...> - 2005-02-09 17:38:24
|
There are a couple of options but none appear to be easy right now: 1. A component of the Wine project appears to have registry support beginning with Windows 3.1: registry.c The source can be found in the misc directory of the latest Wine tarball. It appears not to be a standalone tool but a component of Wine itself - re-coding will be required. 2. Peter Nordahl's NT password tool may help but its support of the Win98 registry is unknown: http://home.eunet.no/~pnordahl/ntpasswd/ You can get the source and look @ the chntpw.c/ntreg.c files - they are components of a registry viewer and writer and will certainly work on NT and newer systems. You can download the binaries or source from the URL above. 3. Samba has registry support in its editreg.c tool: /current_samba_tarrball/source/utils/editreg.c - brief tracing of the code shows that Win98 support isn't there. I am currently working on a tool to create registry "timelines" on the *nix platform to compliment mactime output from the file system. The registry can't provide full MAC times but can provide LastWrite time on keys. Once I complete that part, perhaps the next step is to meet the need you have expressed below (read-only registry viewing on all Windows platforms from *nix). -- ben > Is there a way to view the Windows 98 (or any other version) > registry with Sleuthkit? If not, anyone know of a > tool/technique (e.g. vmware) where I can mount an image > read-only and view its registry? > > Thanks, > > SH |
