Introduction
Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. It is GUI based registry editor that can work on Linux and has a built in hex viewer and data interpreter.
Installation
The best way to install this tool is listening its owner Daniel:
In order to automatically stay up-to-date when new versions are released, I recommend adding my repository to your software sources list. This is done by executing the following commands:
sudo wget -P /etc/apt/sources.list.d/ http://deb.pinguin.lu/pinguin.lu.list
wget -q http://deb.pinguin.lu/debsign_public.key -O- | sudo apt-key add -
sudo apt-get update
Once done, you can install packages by issuing:
sudo apt-get install fred fred-reports
Environment
I used a hard disk image of a Windows system.
# ewfmount myImage.E01 /mnt/ewf/
# mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf/ewf1 /mnt/windows_mount
I mounted my image in /mnt/windows_mount. Since I was using an E01 image, I used two step process to mount my image. For details on how to mount E01 image in Linux you can check this post. You don’t need to use E01 image. Any image you could mount in Linux i.e. raw image would be fine.
Usage
I will give some examples that shows how to use this powerful tool. First let’s cover the locations of hives. If you already are familiar with Windows Registry you can skip this section and continue on Finding unique device serial number of a USB Key.
In Windows NT 4 (and later) the Registry is stored in the Windows NT Registry File (REGF) format (http://www.forensicswiki.org/wiki/Windows_Registry).
Basically the following Registry hives are stored in the corresponding files:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
1. Finding unique device serial number of a USB Key
This information is stored at SYSTEM\CurrentControlSet001\Enum\USBSTOR
We know that SYSTEM registry hives are stored in C:\Windows\system32\config\system
Lets go to the directory that we have system file (/WINDOWS/system32/config/system) I mounted it in the /mnt/windows_mount so I will type
cd /mnt/windows_mount/WINDOWS/system32/config
Then I can type the following to run fred on system file:
root@siftworkstation:/mnt/windows_mount/WINDOWS/system32/config# fred system
So it is the value I circled red.
2.What was last time that a user opened a .doc file
This data stored in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsn>
NTUSER.DAT is in \Documents and Setting\User Profile. First we need to go into that directory and run
fred NTUSER.DAT
So it is the value I circled red.
3.What was the last program a user ran using the Start->Run dialog.
We need to use fred and open NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
At the right column we see what the user run using start->run.
Conclusion
Windows registry includes good information for investigators. Fred helps investigators to find the data they need in registry very easily. The best thing about Fred it is open source and cost you zero dollar…
I would love to hear from you about what you think about fred and registry tools in general.