Re: [sleuthkit-users] Win98 registry
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Win98 registry
|
From: Jon N. <qu...@li...> - 2005-02-10 02:50:52
|
Seth Arnold said: > On Wed, Feb 09, 2005 at 07:44:29AM -0800, sec...@hu... wrote= : >> Is there a way to view the Windows 98 (or any other version) >> registry with Sleuthkit? If not, anyone know of a tool/technique (e.g. vmware) where I can mount an image read-only and view its registry? > > You could extract the registry files (memory fails me, but osmething like user.dat and system.dat comes to mind) from the system using sleuthkit and then import them into another windows ssystem for viewing. Uhhhhh...Just so you know that will hose the current registry on the Win9= 8 box. From http://www.microsoft.com/technet/archive/win98/maintain/reg.mspx : ----------------------snip-------------------snip------------------------= -- Often, the best tools for the job aren't programs at all; they're scripts= , INF files, and REG files. You use these files to specify changes to the Registry. When you run, install, or import these files, the operating system implements the changes that you describe in the file. These are particularly hard-working tools for administrators because they enable yo= u to distribute changes to users across the network. ----------------------snip-------------------snip------------------------= -- If you make a backup before you import and then restore it before rebooting you should be ok. That page has info on some Window$ tools to parse the registry. Jon > > (I think encase has history tools for the registry, but i can't promise that.) > |
