RE: Windows forensics with Linux analysis machine

From: Steve (steve@infosec-solutions.com)
Date: Sat Aug 23 2003 - 13:17:43 PDT

Next message: Brad Bemis: "RE: Windows forensics with Linux analysis machine"

Previous message: Zachary Bourdeau: "RE: Windows forensics with Linux analysis machine"
In reply to: Holger.Woehleat_private: "RE: Windows forensics with Linux analysis machine"
Next in thread: Zachary Bourdeau: "RE: Windows forensics with Linux analysis machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All the registry info is stored in a set of files on the disk so you can get
it with anything that allows you to read the disk.  (I don't remember the
files off hand, the times I've done it I've had a senior investigator in the
office assisting)

You can also use 'dd' to make a bit copy of the suspect drive which can then
be booted allowing you to access the registry using the standard windows
tools without disturbing the integrity of the suspect drive.

-----Original Message-----
From: Holger.Woehleat_private [mailto:Holger.Woehleat_private]
Sent: Friday, August 22, 2003 1:17 AM
To: forensicsat_private
Subject: RE: Windows forensics with Linux analysis machine



...i don't think that the F.I.R.E matches all needs for an investigation of
Windows .
I am not to close with Forensics of Windows plattforms bit i am learning...
On attempt might be the registry. A very important database which you can't
analyse with F.I.R.E., or am i wrong ?
Please correct me.

By the way does anybody know a tool for doing that under linux ?
At the moment i am doing a:\redump.exe | cryptcat and lesses/grep the acsii
dump-file on my forensics notebook.
But this means, that the System is alive and runnning! And that no trojan
hides
registry-trees (hives).

looking forward
Holger





"tetsujin" <tetsujinat_private>
21.08.2003 02:03
An:     "'JJ'" <jjhorner@SAFe-mail.net>, forensicsat_private
Kopie:  (Blindkopie: Holger Wöhle/PSD/Eschborn/Arcor)
Thema:  RE: Windows forensics with Linux analysis machine



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brad Bemis: "RE: Windows forensics with Linux analysis machine"
Previous message: Zachary Bourdeau: "RE: Windows forensics with Linux analysis machine"
In reply to: Holger.Woehleat_private: "RE: Windows forensics with Linux analysis machine"
Next in thread: Zachary Bourdeau: "RE: Windows forensics with Linux analysis machine"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 25 2003 - 06:08:15 PDT