Disk Analysis Introduction
Windows Registry Analysis
Let's drop the registry hives into Registry Explorer.
Next, let's extract some system information from these registry hives using Registry Explorer and RegRipper.
System Information
Computername: Registry: HKLM\System\CurrentControlSet\Control\Computername\
Windows Version: Registry: HKLM\Software\Microsoft\Windows NT\Currentversion\
Let's use RegRipper, but first, copy the registry hives to a separate folder.
rip.exe -r c:\Cases\Analysis\Registry\SOFTWARE -p winver
Timezone: Registry: HKLM\System\CurrentControlSet\Control\TimeZoneInformation\
rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p timezone
Network Information: Registry: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interface-name}
rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p nic2
rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p networklist
Shutdown time: Registry: HKLM\System\ControlSet001\Control\Windows\ShutdownTime
rip.exe -r C:\Cases\Analysis\Registry\SYSTEM -p shutdown
Defender settings: Registry: HKLM\Software\Microsoft\Windows Defender\
rip.exe -r C:\Cases\Analysis\Registry\SOFTWARE -p defender
Parsing registry hives in bulk with RegRipper
attrib *
The files UsrClass.dat and NTUSER.DAT are hidden. Let’s display them.
attrib -h NTUSER.DAT
attrib -h UsrClass.dat
Let's process each hive using RegRipper.
for /r %i in (*) do (c:\Tools\RegRipper3.0-master\rip.exe -r %i -a > %i.txt)
Let's open them in Notepad.
Let's use Ctrl + F to search for the shutdown time, then select "Find All in All Opened Document."
Last updated