Keep in mind: Registry files can't be read with standard text editors. USER.DAT file corresponds to HKEY_LOCAL_USER SYSTEM.DAT corresponds to HKEY_LOCAL MACHINE
HKEY_LOCAL_MACHINE is the hive where the information specific to the machine will be stored. The information may include, network settings, hardware drivers etc. HKEY_LOCAL_USER hive stores data specific to user configuration, such as desktop color schemes, screen savers, wall paper, and user specific application settings. Areas of interest: HKEY_CURRENT_USER\RemoteAccess (Dial-up settings) HKEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \InternetSettings HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Addresses HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Besides programs like EnCase, FTK, and Paraben, you can try this freeware app here: http://www.mitec.cz/Downloads/RegView.zip Here is a good link for more in depth descriptions of the parts that make up the registry: http://www.answers.com/topic/win-registry Also, take a look here and join this yahoo group: http://forensic.to/webhome/urfg/index.htm -----Original Message----- From: Rikard Johnels [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 2:00 PM To: [email protected] Subject: Analysing a Windows registry from Linux or another Windows system Hello! I have been set to analyse two windows registry files from a compromised Win98 system. All i am given is the user.dat and system.dat files from the recovered disk. How can i read these files and recover data from them? Especially we need the ISP settings (Modem. It has no network card) to be able to verify where this specific computer was connecting to. Any tips or pointers? -- /Rikard ----------------------------------------------------------------------------- email : [EMAIL PROTECTED] web : http://www.rikjoh.com mob: : +46 (0)763 19 76 25 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 > ##################################################################################### This email may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this email in error, immediately delete the message and any attachments from your system, and keep all information contained therein confidential. Use, disclosure or reproduction of this email by anyone other than the intended recipient(s) is strictly prohibited. No representation is made that this email or any attachments are free of viruses. Virus scanning is recommended and is the responsibility of the recipient. This E-mail transmission cannot be guaranteed to be secure. #####################################################################################
