I've used AccessData's Registry Viewer and Encase. I'm sure there are other applications out there. I also believe you can open the files from a working Windows computer using the Registry Editor (regedit.exe).

Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com

-----Original Message-----
From: Rikard Johnels [mailto:rikard.j (at) rikjoh (dot) com [email concealed]]
Sent: Tuesday, April 11, 2006 2:00 PM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: Analysing a Windows registry from Linux or another Windows system

Hello!
I have been set to analyse two windows registry files from a compromised Win98
system. All i am given is the user.dat and system.dat files from the
recovered disk.

How can i read these files and recover data from them? Especially we need the ISP settings (Modem. It has no network card) to be able
to verify where this specific computer was connecting to.

Any tips or pointers?

--
         /Rikard

------------------------------------------------------------------------
-----
email   : rikard.j (at) rikjoh (dot) com [email concealed]
web     : http://www.rikjoh.com
mob: : +46 (0)763 19 76 25
------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >

[ reply ]