What tool for Registry forensics ?

[rihtt]

I currently have a win 7 machine that I need to find information stored in the
registry (probably SAM-keys etc thats not available for a user mode)


And btw, I did a full sector-by-sector clone of a C:/drive to .dd file so I probably need a
so called offline tool to examine the register. If thats possible, I will also try a live-tool right now because time is son running out


(the .dd file is a complete disk image as the state-of- saved as a original, and this is duplicated to copies for later examinations without affecting the real system)




I´dont have licensed Encase/forensic suits.
But there are some open-source tools out there


Regripper - ForensicsWiki


https://www.researchgate.net/publication/49285198_Forensic_Analysis_of_the_Windows_7_Registry

Anyone with some tips?

Examples of data I want is the history, autologin,credentials, last network info, etc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{Wireless - Identifier}


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Printers


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

 

[samuria]

You don't say what you are actually looking for without that it's hard to say

 

[rihtt]

I/E credentials
I/E autologins
I/E history
I/E downloaded files -source URL - (found 2 links when typing this)

*that gave me lot of info about the webmail visited and info about that client,inbox strucutre etc



USB devices
Internet /home network



You know....these kind of things:

:sarc:

HKEY_USERS\S-1-5-21-[User Identifier] \Software\Microsoft\Internet Explorer\TypedURLs



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\Map Network Drive MRU

HKEY_USERS\S-1-5-21-[User Identifier] \Software \WinRAR \ArcHistory






HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RecentDocs\.zip



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt



HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.jpg




HKEY_USERS\S-1-5-21-[User Identifier] \Software \Microsoft \Windows\CurrentVersion\Explorer\RunMRU

 

[Snick]

Take a look at Nir Sofer's website, plethora of free tools.
NirSoft

 

[file3456]

I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.

 

[samuria]

We don't know why you want to do this as it may be a criminal offence

 

[rihtt]

I suppose Hiren's Bootcd could load the registry hives. Tools at the Nirsoft site could do it too.

I did not find any in my Hireens USB-stick.
(But thats an old version)

Take a look at Nir Sofer's website, plethora of free tools.
NirSoft

Ok thanks.


I´ continue searching and will examine the disk_image that I took.

 

[SIW2]

Why not use regedit?

 

[rihtt]

Why not use regedit?

Why not read ?

https://www.researchgate.net/publication/49285198_Forensic_Analysis_of_the_Windows_7_Registry


I am no expert, but I covered enough of information last 5 years of this matter to know that its a little more than that, when it comes to information stored in the windows registry.


Some whitepapers, and real forensic reports from actual crime cases and also the research analys linked in this very thread shows that there is lots of data,thats not available with regedit.


There is some values, that simply cant read from a live system at all.
nur from a user-mode request on a windows system...





Therefore, of that reason mentioned, some tools (like AccessData Registry viewer )
FTK Toolkit and more utilitys exists, used and created by professional forensic engineers.





Imgur: The magic of the Internet

or should they instead call you and use regedit ? :sarc:

 

[SIW2]

It is an entirely reasonable response to your preceding post #7.

If you can spare a moment from being a jerk, you could see if running regworkshop in winpe will do what you want.

Registry Workshop | www.torchsoft.com