Tag Archives: read registry

How To View Windows Registry On Linux

Introduction

Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. It is GUI based registry editor that can work on Linux and has a built in hex viewer and data interpreter.

Installation

The best way to install this tool is listening its owner Daniel:

In order to automatically stay up-to-date when new versions are released, I recommend adding my repository to your software sources list. This is done by executing the following commands:

sudo wget -P /etc/apt/sources.list.d/ http://deb.pinguin.lu/pinguin.lu.list
wget -q http://deb.pinguin.lu/debsign_public.key -O- | sudo apt-key add -
sudo apt-get update

Once done, you can install packages by issuing:

sudo apt-get install fred fred-reports

 

Environment

I used a hard disk image of a Windows system.

# ewfmount myImage.E01 /mnt/ewf/
# mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount

I mounted my image in /mnt/windows_mount. Since I was using an E01 image, I used two step process to mount my image. For details on how to mount E01 image in Linux you can check this post. You don’t need to use E01 image. Any image you could mount in Linux i.e. raw image would be fine.

 

Usage

I will give some examples that shows how to use this powerful tool. First let’s cover the locations of hives. If you already  are familiar with Windows Registry you can skip this section and continue on Finding unique device serial number of a USB Key.

In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format (http://www.forensicswiki.org/wiki/Windows_Registry).

Basically the following Registry hives are stored in the corresponding files:

  • HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
  • HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
  • HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
  • HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
  • HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
  • HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system

1. Finding unique device serial number of a USB Key

This information is stored at SYSTEM\CurrentControlSet001\Enum\USBSTOR

We know that SYSTEM registry hives are stored in C:\Windows\system32\config\system

Lets go to the directory that we have system file (/WINDOWS/system32/config/system) I mounted it in the /mnt/windows_mount so I will type

cd /mnt/windows_mount/WINDOWS/system32/config

Then I can type the following to run fred on system file:

root@siftworkstation:/mnt/windows_mount/WINDOWS/system32/config# fred system

So it is the value I circled red.

 

fred1

2.What was  last time that a user opened a .doc file

This data stored  in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsn>

NTUSER.DAT is in \Documents and Setting\User Profile. First we need to go into that directory and run

fred NTUSER.DAT

fred2

So it is the value I circled red.

3.What was the last program a user ran using the Start->Run dialog.

We need to use fred and open NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

fred3

At the right column we see what the user run using start->run.

Conclusion

Windows registry includes good information for investigators. Fred helps investigators to find the data they need in registry very easily. The best thing about Fred it is open source and cost you zero dollar…

I would love to hear from you about what you think about fred and  registry tools in general.