sleuthkit-users

[sleuthkit-users] Win98 registry

[<sec...@hu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a way to view the Windows 98 (or any other version)
registry with Sleuthkit? If not, anyone know of a tool/technique
(e.g. vmware) where I can mount an image read-only and view its
registry?

Thanks,

SH
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkIJ6ZIACgkQRBFe1uc9INpPFACaAhldqv0Yb2JxlqmJwsq0Hn3+raoA
niw5NrV1kq+QyP5nerbhPF7qC0ZA
=YNxW
-----END PGP SIGNATURE-----

Re: [sleuthkit-users] Win98 registry

[Seth A. <sa...@im...>]

On Wed, Feb 09, 2005 at 07:44:29AM -0800, sec...@hu... wrote:
> Is there a way to view the Windows 98 (or any other version)
> registry with Sleuthkit? If not, anyone know of a tool/technique
> (e.g. vmware) where I can mount an image read-only and view its
> registry?

You could extract the registry files (memory fails me, but osmething
like user.dat and system.dat comes to mind) from the system using
sleuthkit and then import them into another windows ssystem for viewing.

(I think encase has history tools for the registry, but i can't promise
that.)

AW: [sleuthkit-users] Win98 registry

[<mu...@lo...>]

You can use Regdat from H.Ulbrich for Windows 98 (or RegdatXP for other
Windows versions) to view the registry from system.dat and user.dat =
files
only. You can either extract these files via sleuthkit/autopsy from a dd
image or use a BartPE Boot CD to access these files. In the latter case =
you
should always use a VMWare with a copy of the image as BartPE modifies =
the
file system and thus the MD5 values of the image changes.

Marcus

> -----Urspr=FCngliche Nachricht-----
> Von: sle...@li...=20
> [mailto:sle...@li...] Im=20
> Auftrag von sec...@hu...
> Gesendet: Mittwoch, 9. Februar 2005 16:44
> An: sle...@li...
> Betreff: [sleuthkit-users] Win98 registry
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Is there a way to view the Windows 98 (or any other version)=20
> registry with Sleuthkit? If not, anyone know of a=20
> tool/technique (e.g. vmware) where I can mount an image=20
> read-only and view its registry?
>=20
> Thanks,
>=20
> SH
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at=20
> https://www.hushtools.com/verify
> Version: Hush 2.4
>=20
> wkYEARECAAYFAkIJ6ZIACgkQRBFe1uc9INpPFACaAhldqv0Yb2JxlqmJwsq0Hn3+raoA
> niw5NrV1kq+QyP5nerbhPF7qC0ZA
> =3DYNxW
> -----END PGP SIGNATURE-----
>=20
>=20
>=20
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest &=20
> candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Win98 registry

[Nathan C. <na...@cc...>]

On Wed, 2005-02-09 at 07:44 -0800, sec...@hu... wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Is there a way to view the Windows 98 (or any other version)
> registry with Sleuthkit? If not, anyone know of a tool/technique
> (e.g. vmware) where I can mount an image read-only and view its
> registry?
> 
> Thanks,
> 
> SH

Off the top of my head two programs exist on linux that understand the
windows registry format;

This is primarily concerned with editing NT hashes but obviously
understands the reg format;

http://home.eunet.no/~pnordahl/ntpasswd/editor.html

and this one which mounts registry files under linux (which I think is a
much better idea as it allows searching etc using standard fs tools
(grep etc.);

http://www.bindview.com/Support/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm

unfortunately it hasn't been updated for a while and only runs on
2.2/2.3 kernels although I did hack it to run on 2.4.

regards,

Nathan.
---
Computer Crime Consultants Ltd
http://www.ccc-ltd.com

Support the fight against software patents:
http://www.NoSoftwarePatents.com
http://swpat.ffii.org

Re: [sleuthkit-users] Win98 registry

[Nathan C. <na...@cc...>]

Well I should really have preempted the requests for the 2.4 hack for
the ntreg driver. So here it is;

I am not supporting this hack in any way, if it doesn't work for you
then tough luck. If you want to run with this then good luck.

regards,

Nathan

--
Computer Crime Consultants Ltd
http://www.ccc-ltd.com

Support the fight against software patents:
http://www.NoSoftwarePatents.com
http://swpat.ffii.org