This experiment is the same as the experiment 9, 10 and 11 which are part of a set of experiments related to the class assignments performed on December 2008. In my point of view, the assignment report will be more reliable if it is supported by a number of experiments as well as literature study; therefore for most of my assignments during my course at Strathclyde, I usually peformed some experiments to prove my statements.
Registry under Ms Windows OS stores many important informations such as users, applications installed in a machine, USB drives which ever attached into a machine and so on, therefore it becomes one of targets for forensics investigators to search.
In this experiment, it is used the registry viewer applications running under Ubuntu 8.10 with the object is the registry from my experimental machine running dual booting.
Under Ubuntu 8.10, cp command was run to copy 5 registry files from an experimental forensic image which was taken from a Windows machine:
/WINDOWS/system32/config/SAM
/WINDOWS/system32/config/SECURITY
/WINDOWS/system32/config/software
/WINDOWS/system32/config/system
/Documents\and\Settings/UserXP/NTUSER.DAT
After that regviewer application was carried out to analyse these files.
From /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names, it was obtained the list of users namely Administrator, Guest, HelpAssistant, SUPPORT_388945a0 and UserXP.
Registry under Ms Windows OS stores many important informations such as users, applications installed in a machine, USB drives which ever attached into a machine and so on, therefore it becomes one of targets for forensics investigators to search.
In this experiment, it is used the registry viewer applications running under Ubuntu 8.10 with the object is the registry from my experimental machine running dual booting.
Under Ubuntu 8.10, cp command was run to copy 5 registry files from an experimental forensic image which was taken from a Windows machine:
/WINDOWS/system32/config/SAM
/WINDOWS/system32/config/SECURITY
/WINDOWS/system32/config/software
/WINDOWS/system32/config/system
/Documents\and\Settings/UserXP/NTUSER.DAT
After that regviewer application was carried out to analyse these files.
From /HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names, it was obtained the list of users namely Administrator, Guest, HelpAssistant, SUPPORT_388945a0 and UserXP.
Figure 1
/HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/Names shows the list of user accounts.
From /HKEY_LOCAL_MACHINE/ntuser.dat/Software and /HKEY_LOCAL_ MACHINE/SOFTWARE, it was gained the list of company along with their software which are installed into the target machine such as AccessData with FTK and FTK Imager, Adobe with Acrobat Reader, America Online, BitComet and so on.
From /HKEY_LOCAL_MACHINE/ntuser.dat/Software and /HKEY_LOCAL_ MACHINE/SOFTWARE, it was gained the list of company along with their software which are installed into the target machine such as AccessData with FTK and FTK Imager, Adobe with Acrobat Reader, America Online, BitComet and so on.
Figure 2
/HKEY_LOCAL_MACHINE/ntuser.dat/Software shows the list of software installed within the machine.
From /HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/USBSTOR, It was found the list of storage devices with their unique entry which ever attached to the USB port in the experimental machine such as SanDisk-Cruzer, Fujitsu, Generic and so on.
From /HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/USBSTOR, It was found the list of storage devices with their unique entry which ever attached to the USB port in the experimental machine such as SanDisk-Cruzer, Fujitsu, Generic and so on.
Figure 3
/HEKY_LOCAL_MACHINE/ControlSet002/Enum/USBSTOR shows the list of storage media which was ever attached to the machine
Registry Software helps in deleting unwanted files from your pc n it help our pc from being crashed.
ReplyDelete