Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: What tool for Registry forensics ?

4 Weeks Ago   #1
rihtt

windows 7 Professional x64
 
 
What tool for Registry forensics ?

I currently have a win 7 machine that I need to find information stored in the
registry (probably SAM-keys etc thats not available for a user mode)


And btw, I did a full sector-by-sector clone of a C:/drive to .dd file so I probably need a
so called offline tool to examine the register. If thats possible, I will also try a live-tool right now because time is son running out


(the .dd file is a complete disk image as the state-of- saved as a original, and this is duplicated to copies for later examinations without affecting the real system)




IĀ“dont have licensed Encase/forensic suits.
But there are some open-source tools out there


Regripper - ForensicsWiki


https://www.researchgate.net/publica...ows_7_Registry

Anyone with some tips?

Code:
Examples of data I want is the history, autologin,credentials, last network info, etc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{Wireless - Identifier}


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR



My System SpecsSystem Spec
.
4 Weeks Ago   #2
samuria

win 8 32 bit
 
 

You don't say what you are actually looking for without that it's hard to say
My System SpecsSystem Spec
4 Weeks Ago   #3
rihtt

windows 7 Professional x64
 
 

I/E credentials
I/E autologins
I/E history
I/E downloaded files -source URL - (found 2 links when typing this)

*that gave me lot of info about the webmail visited and info about that client,inbox strucutre etc



USB devices
Internet /home network



You know....these kind of things:



HKEY_USERS\S-1-5-21-[User Identifier] \Software\Microsoft\Internet Explorer\TypedURLs



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\Map Network Drive MRU

HKEY_USERS\S-1-5-21-[User Identifier] \Software \WinRAR \ArcHistory






HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg




HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RunMRU
My System SpecsSystem Spec
.

4 Weeks Ago   #4
Snick

Win 10 x64, Linux Lite, Win 7 x64, BlackArch, Kali, VMWare Workstation Player, OpenVPN
 
 

Take a look at Nir Sofer's website, plethora of free tools.
NirSoft
My System SpecsSystem Spec
4 Weeks Ago   #5
F22 Simpilot

Windows 7 Ultimate x64
 
 

I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.
My System SpecsSystem Spec
4 Weeks Ago   #6
samuria

win 8 32 bit
 
 

We don't know why you want to do this as it may be a criminal offence
My System SpecsSystem Spec
3 Weeks Ago   #7
rihtt

windows 7 Professional x64
 
 

Quote   Quote: Originally Posted by F22 Simpilot View Post
I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.
I did not find any in my Hireens USB-stick.
(But thats an old version)



Quote   Quote: Originally Posted by Snick View Post
Take a look at Nir Sofer's website, plethora of free tools.
NirSoft
Ok thanks.


I“ continue searching and will examine the disk_image that I took.
My System SpecsSystem Spec
3 Weeks Ago   #8
SIW2

Microsoft Community Contributor Award Recipient

Vista x64 / 7 X64
 
 

Why not use regedit?
My System SpecsSystem Spec
3 Weeks Ago   #9
rihtt

windows 7 Professional x64
 
 

Quote   Quote: Originally Posted by SIW2 View Post
Why not use regedit?

Why not read ?

https://www.researchgate.net/publica...ows_7_Registry


I am no expert, but I covered enough of information last 5 years of this matter to know that its a little more than that, when it comes to information stored in the windows registry.


Some whitepapers, and real forensic reports from actual crime cases and also the research analys linked in this very thread shows that there is lots of data,thats not available with regedit.


There is some values, that simply cant read from a live system at all.
nur from a user-mode request on a windows system...





Therefore, of that reason mentioned, some tools (like AccessData Registry viewer )
FTK Toolkit and more utilitys exists, used and created by professional forensic engineers.





Imgur: The magic of the Internet

or should they instead call you and use regedit ?
My System SpecsSystem Spec
3 Weeks Ago   #10
SIW2

Microsoft Community Contributor Award Recipient

Vista x64 / 7 X64
 
 

It is an entirely reasonable response to your preceding post #7.

If you can spare a moment from being a jerk, you could see if running regworkshop in winpe will do what you want.

Registry Workshop | www.torchsoft.com
My System SpecsSystem Spec
Reply

 What tool for Registry forensics ?




Thread Tools




Similar help and support threads
Thread Forum
What is the best registry cleanup tool for win7?
Having problems with adobe, and suspect prbs with registry and/or incorrect dll's for 64 bit systems and office 2013. Many thanks. R.
Performance & Maintenance
Registry problem after windows update and registry optimization tool
Hello sevenforum, I've already spend some time on this forum today but I can't find the solution to a particular registry problem I'm having. While windows was uploading some updates yesterday, I cleaned my registry using Iolo's system mechanic tool and that's where the problems started. (I...
Backup and Restore
best Registry Repair Tool
Hi everyone. i always install or remove lots of software, because of that i have problems with my registry, so i used programs to solve my problem. i thought that you are the best partner for me to advising me to choose the best program, for fixing or repairing or rebuilding my registry. so...
Software
[Portable registry] tool???
I imagine a program that allows you to carry your registry entries with you and load them onto any windows OS/computer (that you have admin powers on). Optionally after the session you could update entries that were changed, and restore everything. The most important things I could think of for...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 04:12.
Twitter Facebook Google+