Re: [sleuthkit-users] Win98 registry

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2005-02-09 at 07:44 -0800, sec...@hu... wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Is there a way to view the Windows 98 (or any other version)
> registry with Sleuthkit? If not, anyone know of a tool/technique
> (e.g. vmware) where I can mount an image read-only and view its
> registry?
> 
> Thanks,
> 
> SH

Off the top of my head two programs exist on linux that understand the
windows registry format;

This is primarily concerned with editing NT hashes but obviously
understands the reg format;

http://home.eunet.no/~pnordahl/ntpasswd/editor.html

and this one which mounts registry files under linux (which I think is a
much better idea as it allows searching etc using standard fs tools
(grep etc.);

http://www.bindview.com/Support/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm

unfortunately it hasn't been updated for a while and only runs on
2.2/2.3 kernels although I did hack it to run on 2.4.

regards,

Nathan.
---
Computer Crime Consultants Ltd
http://www.ccc-ltd.com

Support the fight against software patents:
http://www.NoSoftwarePatents.com
http://swpat.ffii.org