On 5 Jun 2001, at 10:24, Tan Sze Yan wrote: > I am wondering if there are any programs that work on a set of registry > files (e.g. registry files copied from compromised system to your > computer for forensics analysis), rather than on a "live registry". RegEdt32 (from any NT) will load registry hives. Reg (from the ResKit) does the same. Make sure to load the hive into a key with no standard name! When you copy a hive from another machine on yours and load the hive in your Registry, nothing will change in this hive (until YOU change something, of course). Because the Registry does only know the Last WRITE Time, this time will not change in your hive until you write to the hive. NT itself will not access the extra hive because it does not care about extra hives (until you give them a name of an existing hive, which is not a good idea). > My > concern is that once you boot up a compromised system and the registry > is being loaded, some of the keys would have already being modified. This is true. Move the HD to another machine or install another version of NT on this machine. Frank Heyne
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 14:08:07 PDT