It has been a while since my last big thing. I needed to do some things on a Windows computer due to a problem with the registry hive. For this I have encountered the folowing program:
FRED. This stands for Forensic Registry EDitor. More information about the package you can find here: https://www.pinguin.lu/fred. This program has also deb sources for easy installations on a Debian based Linux installation. It is possible to follow some parts of this guide to also install this on a normal installation in case of a dual boot or an added disk to a other Linux installation.
To use this on a live environment I have used the, now free, ESET SysRescue.
In this manual it will be assumed that:
- There is a ESET SysRescue boot CD or USB available, more you can find here: http://www.eset.com/int/support/sysrescue/
- The Windows C drive will be localy mounted as “/media/LocalDisk2”
Normaly the registry values will be set in the folowing locations:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Ok, lets start.
Warning! editing the registry might damage your system, do not do this unless you know what you are doing!
Once you have started the CD make sure you accept the agreement and either disable or enable the extra options for the ESET anti-virus.
Open the Root terminal using the following steps
- Use the menu on the bottom left
- go to accessories
- open Root Terminal
Next we need to add the public key for the deb sources for this installation. please use the following commands for that:
apt-key add debsign_public.key
To make sure that the sources.list is edited we need to add an simple text editor. In this example we will make use of “nano”, but you can use any program you perfer to use otherwise. Note that most programs are not installed in the live CD, thus it first needs to be installed.
apt-get install nano
In the sources.list you should add the following line:
deb http://deb.pinguin.lu/i386 ./
Save and exit the file. Now we can install the program. Run the folowing commands for that.
apt-get install fred fred-reports
After it is installed go to the location of the registry you would want to open. In this example we will try and open the SOFTWARE hive.
As most people know, Linux is case sensitive, and all hives (exept for the user registry’s) are in uppercase make sure you also write it like that.
And we are done!
Untill next time!