Re: AW: [sleuthkit-users] Win98 registry
Brought to you by:
carrier
Menu
▾
▴
Re: AW: [sleuthkit-users] Win98 registry
|
From: <sec...@hu...> - 2005-02-13 02:44:04
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RegDat did the trick. Thanks a bunch. In fact, I did not see this documented anywhere but there were three registry files from the Windows 98 c:\Windows directory that RegDat was able to view: system.dat, user.dat and hwinfo.dat (there was no policy.pol file): system.dat === HKEY_LOCAL_MACHINE user.dat ===== HKEY_CURRENT_USER hwinfo.dat === HKEY_USERS I installed RegDat on a Win2K machine and copied the *.dat files over and examined them there. Again, very helpful. Regards, SH On Thu, 10 Feb 2005 05:16:35 -0800 =?iso-8859-1?Q?Marcus_M=FCller?= <mu...@lo...> wrote: >You can use Regdat from H.Ulbrich for Windows 98 (or RegdatXP for >other >Windows versions) to view the registry from system.dat and >user.dat files >only. You can either extract these files via sleuthkit/autopsy >from a dd >image or use a BartPE Boot CD to access these files. In the latter >case you >should always use a VMWare with a copy of the image as BartPE >modifies the >file system and thus the MD5 values of the image changes. > >Marcus > >> -----Ursprüngliche Nachricht----- >> Von: sle...@li... >> [mailto:sle...@li...] Im >> Auftrag von sec...@hu... >> Gesendet: Mittwoch, 9. Februar 2005 16:44 >> An: sle...@li... >> Betreff: [sleuthkit-users] Win98 registry >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Is there a way to view the Windows 98 (or any other version) >> registry with Sleuthkit? If not, anyone know of a >> tool/technique (e.g. vmware) where I can mount an image >> read-only and view its registry? >> >> Thanks, >> >> SH >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at >> https://www.hushtools.com/verify >> Version: Hush 2.4 >> >> >wkYEARECAAYFAkIJ6ZIACgkQRBFe1uc9INpPFACaAhldqv0Yb2JxlqmJwsq0Hn3+rao >A >> niw5NrV1kq+QyP5nerbhPF7qC0ZA >> =YNxW >> -----END PGP SIGNATURE----- >> >> >> >> ------------------------------------------------------- >> SF email is sponsored by - The IT Product Guide Read honest & >> candid reviews on hundreds of IT Products from real users. >> Discover which products truly live up to the hype. Start reading >now. >> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > >------------------------------------------------------- >SF email is sponsored by - The IT Product Guide >Read honest & candid reviews on hundreds of IT Products from real >users. >Discover which products truly live up to the hype. Start reading >now. >http://ads.osdn.com/?ad_ide95&alloc_id396&op=click >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkIOvuwACgkQRBFe1uc9INrf2ACgt4I/b9QCCYw8ywThvBQgo2lj8F0A niDdmfI+SsqMKeqLzZI8mCE31a39 =F2rH -----END PGP SIGNATURE----- |
