ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows NT Registry File (REGF)" and "Libqcow"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
[[Microsoft]] [[Windows]] NT 4 (and later) uses the '''Windows NT Registry File (REGF)''' to store system and application related data, e.g. configurations, most recently used (MRU) files.
+
{{Infobox_Software |
 +
  name = libqcow |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [http://code.google.com/p/libqcow/ code.google.com/p/libqcow] |
 +
}}
  
== MIME types ==
+
The '''libqcow''' package contains a library and applications to read the [[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image]] format.
  
== File signature ==
+
== Tools ==  
 +
The '''libqcow''' package contains the following tools:
 +
* '''qcowinfo''', which shows the information about QCOW files.
 +
* '''qcowmount''', which FUSE mounts QCOW image files.
  
REGF has the following file signature:
+
== Examples ==
  
hexadecimal: 72 65 67 66
+
FUSE mounting a QCOW image (libqcow 20111009 or later)
 +
<pre>
 +
qcowmount image.qcow mount_point
 +
</pre>
  
ASCII: regf
+
== History ==
  
== File types ==
+
Libqcow was created by [[Joachim Metz]] in 2010.
There are multiple types of REGF files:
+
* normal (data) file
+
* transaction log file
+
 
+
== Transactional Registry (TxR) ==
+
In Vista the Transactional Registry (TxR) was introduced. TxR creates transaction log files similar to:
+
* %FILE%{%GUID%}.TM.blf
+
* %FILE%{%GUID%}.TMContainer00000000000000000001.regtrans-ms
+
* %FILE%{%GUID%}.TMContainer00000000000000000002.regtrans-ms
+
 
+
Where %FILE% is the name of the REGF normal (data) file, e.g. NTUSER.DAT and %GUID% a string representation of a GUID/UUID.
+
 
+
TxR is similar to [[NTFS | Transactional NTFS (TxF)]] and uses the [[Common Log File System (CLFS)]].
+
 
+
== Contents ==
+
 
+
The REGF basically consists of a set of hive bins. These hive bins contain cells that make up a hierarchy of keys and values.
+
  
 
== Also See ==
 
== Also See ==
 
+
[[QCOW_Image_Format | QEMU Copy-On-Write (QCOW) image format]]
* [[Windows Registry]]
+
  
 
== External Links ==
 
== External Links ==
 
+
* [https://code.google.com/p/libqcow/ Project site]
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], by [[Timothy Morgan]]
+
* [https://code.google.com/p/libqcow/wiki/Building Building libqcow and tools from source]
* [https://googledrive.com/host/0B3fBvzttpiiSSC1yUDZpb3l0UHM/Windows%20NT%20Registry%20File%20(REGF)%20format.pdf Windows NT Registry File (REGF) format], by the [[libregf|libregf project]]
+
* [https://code.google.com/p/libqcow/wiki/Mounting Mounting a QCOW image]
 
+
[[Category:File Formats]]
+

Revision as of 05:29, 15 July 2013

libqcow
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libqcow

The libqcow package contains a library and applications to read the QEMU Copy-On-Write (QCOW) image format.

Tools

The libqcow package contains the following tools:

  • qcowinfo, which shows the information about QCOW files.
  • qcowmount, which FUSE mounts QCOW image files.

Examples

FUSE mounting a QCOW image (libqcow 20111009 or later)

qcowmount image.qcow mount_point

History

Libqcow was created by Joachim Metz in 2010.

Also See

QEMU Copy-On-Write (QCOW) image format

External Links