What tool for Registry forensics ?

I currently have a win 7 machine that I need to find information stored in the
registry (probably SAM-keys etc thats not available for a user mode)


And btw, I did a full sector-by-sector clone of a C:/drive to .dd file so I probably need a
so called offline tool to examine the register. If thats possible, I will also try a live-tool right now because time is son running out


(the .dd file is a complete disk image as the state-of- saved as a original, and this is duplicated to copies for later examinations without affecting the real system)




I´dont have licensed Encase/forensic suits.
But there are some open-source tools out there


Regripper - ForensicsWiki


https://www.researchgate.net/publica...ows_7_Registry

Anyone with some tips?

Code:

Examples of data I want is the history, autologin,credentials, last network info, etc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{Wireless - Identifier}


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

You don't say what you are actually looking for without that it's hard to say

I/E credentials
I/E autologins
I/E history
I/E downloaded files -source URL - (found 2 links when typing this)

*that gave me lot of info about the webmail visited and info about that client,inbox strucutre etc



USB devices
Internet /home network



You know....these kind of things:



HKEY_USERS\S-1-5-21-[User Identifier] \Software\Microsoft\Internet Explorer\TypedURLs



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\Map Network Drive MRU

HKEY_USERS\S-1-5-21-[User Identifier] \Software \WinRAR \ArcHistory






HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg




HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RunMRU

I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.

We don't know why you want to do this as it may be a criminal offence

F22 Simpilot said:

I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.

I did not find any in my Hireens USB-stick.
(But thats an old version)

Snick said:

Take a look at Nir Sofer's website, plethora of free tools.
NirSoft

Ok thanks.


I´ continue searching and will examine the disk_image that I took.