Re: Retrieving Windows Registry On Secondary Drive

Date: 12/01/02

Date: Sun, 1 Dec 2002 08:28:43 -0500

> A little off-topic I know, but it's part of a forensic exam:
> If I have a PC (Win XP) where I inserted a secondary HD that was the
> drive on another system, is there any way to retrieve the registry
> that were stored on that drive?

I notice your return email address is "Network Tiger Teams" You aren't learning while you charge people for your
services, are you? If so, shame on you.

Yes, there are a number of ways and tools to do this. I would hope that any
professional forensic software such as Encase would let you do this. I
think you could also use any number of DOS and windows registry editors,
possibly even including just using the regular REGEDIT or REGEDT32 programs
to open the files.

Note that AFAIK it's usually not normal to do the initial forensic analysis
by putting the hard drive into an XP computer, since XP can modify the hard
drive while you look at it. I suppose doing this could be something to try
only after you've done the regular methods, if you feel there's a piece of
information you didn't get through the regular methods. I think it is more
common to boot to *nix or forensic software like Encase instead of Windows,
or if you must use Windows, mount the drive as read only on a *nix computer
and share it out using Samba.