3.3 - Extracting and analysing Windows Registry #
Extracting the registry files with FTK Imager #
The registry files can be extracted with FTK Imager, or with Autopsy.
Windows NT systems store the registry in a binary file format which can be exported , loaded and unloaded by the Registry Editor in these operating systems. The following system registry files are stored in %SystemRoot%\System32\Config:
- Sam – HKEY_LOCAL_MACHINE\SAM
- Security – HKEY_LOCAL_MACHINE\SECURITY
- Software – HKEY_LOCAL_MACHINE\SOFTWARE
- System – HKEY_LOCAL_MACHINE\SYSTEM
The following file is stored in each user’s profile folder:
Parsing the registry files with RegRipper #
Now we have our registry files it’s time to make them human readable.
Run rr.exe from the RegRipper3 folder to start the GUI.
Select the hive file from either the read only mounted drive (D:) or the locally downloaded copy.
Choose where to save the report and give it a name.
Do this for all the registry files to have them prepared to answer the questions. You’ll end up with two files for each registry hive parsed (txt and log).
1. What was the time zone offset at the time of imaging? #
I would not expect you to remember these things until you have done them several times, google is your friend, as are cheatsheets - https://www.13cubed.com/downloads/dfir_cheat_sheet.pdf
1.1 Using RegRipper #
the registry key KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation where the field ActiveTimeBias will return the offset in minutes from GMT for the machine that you are running on. The answer we needed is in the hours.
🏳 Flag 7
2. What is the time zone of the desktop station? #
The SYSTEM hive is where the version of the Windows OS is installed. We can simply search the RegRipper output to find the answer.
2.1 Using RegRipper #
🏳 Flag Pacific Standard Time
3. What is the IP address of the Desktop? #
Still looking at the SYSTEM hive output from RegRipper or Autopsy.
🏳 Flag 126.96.36.199
4. When was the Windows OS installed? #
The SOFTWARE hive is where the version of the Windows OS is installed. We can simply search the RegRipper output to find the answer.
4.1 Using RegRipper #
🏳 Flag 2018-07-28 07:27:53 (GMT, Z, +00:00)
4.2 Using Autopsy #
If you ran the Recent Activity Ingest Module in Autopsy then RegRipper will have been run for you. You can access the output via the reports, then selecting the hive report, right click and open report.
Note: You might notice there is a difference in the output of the two versions of RegRipper. The older version in Autopsy 4.19.0 contains less detail that the most up to date version.