On 2006-04-11 Rikard Johnels wrote: > I have been set to analyse two windows registry files from a > compromised Win98 system. All i am given is the user.dat and > system.dat files from the recovered disk. > > How can i read these files and recover data from them? > Especially we need the ISP settings (Modem. It has no network card) to > be able to verify where this specific computer was connecting to. > > Any tips or pointers?
I'm not sure whether you can use the "load hive" command in regedt32 (on NT-based versions of Windows) to load structures from Windows 9x .dat files, but it might be worth a try. If that doesn't work you can export the contents of the .dat files to plaintext files using regedit.exe from Windows 98. The program can be run from DOS [1], so all you need is a DOS bootdisk and regedit.exe from the Windows 98 CD. Use "extract /a \PATH\TO\WIN98_22.CAB regedit.exe" to find and extract it (if the DOS bootdisk comes without extract.exe: the tool is on the Windows 98 CD, too). On Linux Petter Nordahl's Registry Editor [2] may be an option (see the "Source" section). Harlan Carvey has a Perl script for parsing the Windows registry [3]. I'm not sure if it will work with Windows 98 files, but it's probably worth a try, too. HTH [1] http://support.microsoft.com/default.aspx?scid=kb;en-us;131352 [2] http://home.eunet.no/~pnordahl/ntpasswd/ [3] http://windowsir.blogspot.com/2005/09/updated-registry-parsing-tool.html Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
