Re: Retrieving Windows Registry On Secondary Drive

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 12/01/02


From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sun, 1 Dec 2002 08:28:43 -0500


"Network Tiger Teams" <information@networktiger.com> wrote in message
news:qq4G9.170346$P31.74978@rwcrnsc53...
> A little off-topic I know, but it's part of a forensic exam:
>
> If I have a PC (Win XP) where I inserted a secondary HD that was the
primary
> drive on another system, is there any way to retrieve the registry
settings
> that were stored on that drive?

I notice your return email address is "Network Tiger Teams"
@networktiger.com You aren't learning while you charge people for your
services, are you? If so, shame on you.

Yes, there are a number of ways and tools to do this. I would hope that any
professional forensic software such as Encase would let you do this. I
think you could also use any number of DOS and windows registry editors,
possibly even including just using the regular REGEDIT or REGEDT32 programs
to open the files.

Note that AFAIK it's usually not normal to do the initial forensic analysis
by putting the hard drive into an XP computer, since XP can modify the hard
drive while you look at it. I suppose doing this could be something to try
only after you've done the regular methods, if you feel there's a piece of
information you didn't get through the regular methods. I think it is more
common to boot to *nix or forensic software like Encase instead of Windows,
or if you must use Windows, mount the drive as read only on a *nix computer
and share it out using Samba.

http://rr.sans.org/incident/comp_forensics3.php
http://rr.sans.org/incident/



Relevant Pages

  • Re: Retrieving Windows Registry On Secondary Drive
    ... information you didn't get through the regular methods. ... common to boot to *nix or forensic software like Encase instead of Windows, ... or if you must use Windows, mount the drive as read only on a *nix computer ...
    (microsoft.public.inetserver.iis.security)
  • Re: Retrieving Windows Registry On Secondary Drive
    ... information you didn't get through the regular methods. ... common to boot to *nix or forensic software like Encase instead of Windows, ... or if you must use Windows, mount the drive as read only on a *nix computer ...
    (microsoft.public.win2000.security)
  • HELP!
    ... I'm looking for help with a Windows XP problem so if anybody could direct me ... Encase anybody can help me with my WinXP problem, ... have my laptop syncronize with a networked drive automatically, ... Prev by Date: ...
    (microsoft.public.office.misc)
  • Windows XP Automatic File Syncronization
    ... I'm looking for help with a Windows XP problem so if anybody could direct me ... Encase anybody can help me with my WinXP problem, ... have my laptop syncronize with a networked drive automatically, ... Prev by Date: ...
    (microsoft.public.office.misc)