Suspect manage to reformat the desktop machine before the raid.
Objective:
To recover and identify the owner of the "NTUSER.DAT" registry file from a re-format Windows OS hard disk.
Research:
Found one good mini-whitepaper from Andrew Case regarding "Recovering and Analyzing Deleted Registry Files" at http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html. I can use some of the steps to speed up my process.
I used Encase to do the data recovery process. Once the recovery process completed, I filter out the files and extract "NTUSER.DAT" files using "copy folder" feature. Now I have about 10 "NTUSER.DAT" files in their original folder structure ready to inspect. So, which one is the valid registry files?
Base on the mini-whitepaper, I can use "reglookup.exe" to validate the good registry files. Here the author used one-liner bash scripting, but I am on Windows platform now. Ok, here come some creative thinking to polish up my MS Dos batch scripting. I have created 2 batch files which is "Generate_File_Listing.bat" to list down the NTUSER.DAT files path and "Find_Valid_Registry_Hive.bat" to validate the registry files as below.
File Name: Generate_File_Listing.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
echo !N!-%%a >> %ReglookupOutputFolder%\List_of_NTUSER.DAT.txt
)
File Name: Find_Valid_Registry_Hive.bat
@Echo Off
SetLocal EnableDelayedExpansion
Set N=
Set ReglookupExe="C:\Tools\reglookup-win32-1.0.1\reglookup.exe"
Set ReglookupOutputFolder="D:\CaseID\Registry_Analysis\reglookup-output\"
Set EvidenceFolder="D:\CaseID\Registry_Analysis\Evidence\"
For /R %EvidenceFolder% %%a in (*.DAT) DO (
Set /a N+=1
%ReglookupExe% "%%a" > %ReglookupOutputFolder%\result-!N!.txt
)
Here is the result:
No comments:
Post a Comment