Difference between pages "Windows Registry" and "Mounting Disk Images"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Open Source)
 
m (kpartx)
 
Line 1: Line 1:
==Bibliography==
+
= FreeBSD =
* [http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using ShellBag Information to Reconstruct User Activities.], Yuandong Zhu*, Pavel Gladyshev, Joshua James, DFRWS 2009
+
* Recovering Deleted Data From the Windows Registry. Timothy Morgan, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p33-morgan.pdf [paper]] [http://www.dfrws.org/2008/proceedings/p33-morgan_pres.pdf [slides]]
+
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Registry Examination, by Paul Davies]
+
  
* [http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008  [http://dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
To mount a disk image on [[FreeBSD]]:
* [http://www.pkdavies.co.uk/documents/Computer_Forensics/registry_examination.pdf Forensic Analysis of the Windows Registry], Peter Davies, Computer Forensics: Coursework 2 (student paper)
+
* [http://eptuners.com/forensics/A%20Windows%20Registry%20Quick%20Reference.pdf A Windows Registry Quick-Reference], Derrick Farmer, Burlington, VT.
+
  
* [http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=3326500&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000060280&_version=1&_urlVersion=0&_userid=3326500&md5=ab887593e7be6d5257696707886978f1 The Windows Registry as a forensic resource], Digital Investigation, Volume 2, Issue 3, September 2005, Pages 201--205.
+
First attach the image to unit #1:
 +
  # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1
  
* [http://www.forensicfocus.com/downloads/forensic-analysis-windows-registry.pdf Forensic Analysis of the Windows Registry], Lih Wern Wong , School of Computer and Information Science, Edith Cowan University
+
Then mount:
 +
  # mount -t msdos /dev/md1s1 /mnt
  
* [http://www.sentinelchicken.com/research/registry_format/ The Windows NT Registry File Format], Timothy D. Morgan
+
  # ls /mnt
 +
  BOOTLOG.PRV    BOOTLOG.TXT    COMMAND.COM    IO.SYS          MSDOS.SYS
  
==File Locations==
+
To unmount:
===Windows XP===
+
* HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
+
* HKEY_USERS/DEFAULT: \Windows\system32\config\default
+
* HKEY_LOCAL_MACHIN/SAM: \Windows\system32\config\SAM
+
* HKEY_LOCAL_MACHINE/SECURITY: \Windows\system32\config\SECURITY
+
* HKEY_LOCAL_MACHINE/SOFTWARE: \Windows\system32\config\software
+
* HKEY_LOCAL_MACHINE/SYSTEM: \Windows\system32\config\system
+
  
===Windows 98/ME===
+
  # umount /mnt
* \Windows\user.dat
+
  # mdconfig -d -u 1
* \Windows\system.dat
+
* \Windows\profiles\user profile\user.dat
+
  
==Tools==
+
To mount the image read-only, use:
===Open Source===
+
* [http://projects.sentinelchicken.org/reglookup/ reglookup] — "small command line utility for reading and querying Windows NT-based registries."
+
* [http://sourceforge.net/projects/regviewer/ regviewer] — a tool for looking at the registry.
+
* [http://www.regripper.net/ RegRipper] — "the fastest, easiest, and best tool for registry analysis in forensics examinations."
+
* [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.51/lib/Parse/Win32Registry.pm Parse::Win32Registry] perl module.
+
  
===Commercial===
+
  # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
* [http://www.abexo.com/free-registry-cleaner.htm Abexo Free Regisry Cleaner]
+
  # mount -o ro -t msdos /dev/md1s1 /mnt
* [http://www.auslogics.com/registry-defrag Auslogics Registry Defrag]
+
* [http://lastbit.com/arv/ Alien Registry Viewer]
+
* [http://www.larshederer.homepage.t-online.de/erunt/index.htm NT Registry Optimizer]
+
* [http://www.registry-clean.net/free-registry-defrag.htm iExpert Software-Free Registry Defrag]
+
* [http://paullee.ru/regundel Registry Undelete (russian)]
+
* [http://mitec.cz/wrr.html Windows Registry Recovery]
+
* [http://registrytool.com/ Registry Tool]
+
  
==See Also==
+
= Linux =
* [http://windowsir.blogspot.com/search/label/Registry Windows Incident Response Articles on Registry]
+
* [http://www.answers.com/topic/win-registry Windows Registry Information]
+
* [http://en.wikipedia.org/wiki/Windows_Registry Wikipedia Article on Windows Registry]
+
[[Category:Bibliographies]]
+
* [http://moyix.blogspot.com/search/label/registry Push the Red Button] — Articles on Registry
+
* [http://tech.groups.yahoo.com/group/win4n6/ Windows Forensics Mailing List]
+
* [http://samba.org/~jelmer/kregedit/ kregedit] - a KDE utility for viewing and editing registry files.
+
* [http://www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/ntreg_readme.cfm ntreg] a file system driver for linux, which understands the NT registry file format.
+
  
 +
==To mount a disk image on [[Linux]]==
  
* http://www.opensourceforensics.org/tools/unix.html - Open Source Forensic Tools on Brian Carrier's website.
+
# mount -t vfat -o loop,ro,noexec img.dd /mnt
 +
 
 +
The '''''ro''''' is for read-only.
 +
 
 +
This will mount NSRL ISOs:
 +
 
 +
  # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec
 +
 
 +
Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition.
 +
 
 +
# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
 +
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2
 +
 
 +
===kpartx===
 +
 
 +
Mounting raw images with multiple partitions is easy with ''kpartx''. Type ''aptitude install kpartx'' as root to install ''kpartx'' under Debian. ''kpartx'' is creating device-mappings for each partition. If the raw image looks like this:
 +
 
 +
        Device        Boot      Start      End      Blocks Id  System
 +
    rawimage.dd1              1          1        8001  83  Linux
 +
    rawimage.dd2              2          2        8032+  5  Extended
 +
    rawimage.dd5              2          2        8001  83  Linux
 +
 
 +
The command
 +
 
 +
#  kpartx -v -a rawimage.dd
 +
 
 +
creates these mappings
 +
 
 +
    /dev/mapper/loop0p1
 +
    /dev/mapper/loop0p2
 +
    /dev/mapper/loop0p5
 +
 
 +
The partitions can be mounted with these commands:
 +
 
 +
# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
 +
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro
 +
 
 +
Don't forget the switch '''''-o ro''''' !
 +
 
 +
==To unmount==
 +
 
 +
# umount /mnt
 +
 
 +
== Mounting Images Using Alternate Superblocks ==
 +
 
 +
* [http://sansforensics.wordpress.com/2008/12/18/mounting-images-using-alternate-superblocks/ Mounting Images Using Alternate Superblocks]
 +
 
 +
[[Category:Howtos]]

Revision as of 07:15, 4 November 2009

Contents

FreeBSD

To mount a disk image on FreeBSD:

First attach the image to unit #1: 

 # mdconfig -a -t vnode -f /big3/project/images/img/67.img -u 1

Then mount: 

 # mount -t msdos /dev/md1s1 /mnt

 # ls /mnt
 BOOTLOG.PRV     BOOTLOG.TXT     COMMAND.COM     IO.SYS          MSDOS.SYS

To unmount: 

 # umount /mnt
 # mdconfig -d -u 1

To mount the image read-only, use: 

 # mdconfig -o readonly -a -t vnode -f /big3/project/images/img/67.img -u 1
 # mount -o ro -t msdos /dev/md1s1 /mnt

Linux

To mount a disk image on Linux

# mount -t vfat -o loop,ro,noexec img.dd /mnt

The ro is for read-only.

This will mount NSRL ISOs: 

 # mount /home/simsong/RDS_218_A.iso /mnt/nsrl -t iso9660 -o loop,ro,noexec

Some raw images contains multiple partitions (e.g. full HD image). In this case, it's necessary to specify a starting offset for each partition. 

# mount -t vfat -o loop,offset=32256,ro,noexec img.dd /mnt/tmp_1
# mount -t vfat -o loop,offset=20974464000,ro,noexec img.dd /mnt/tmp_2

kpartx

Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this: 

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command 

#   kpartx -v -a rawimage.dd

creates these mappings 

   /dev/mapper/loop0p1
   /dev/mapper/loop0p2
   /dev/mapper/loop0p5

The partitions can be mounted with these commands: 

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

To unmount

# umount /mnt

Mounting Images Using Alternate Superblocks

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Windows_Registry&oldid=5010"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox