Hi,
An image was dropped into me recently with little in the way of documentation. We are attempting to link the drive back to the original machine and was wondering if this data is heald any where on disk. A copy of the HARDWARE hive was not taken, so this is not a source of evidence in this matter. Any help would be appreciated.
Regards
An image was dropped into me recently with little in the way of documentation. We are attempting to link the drive back to the original machine and was wondering if this data is heald any where on disk. A copy of the HARDWARE hive was not taken, so this is not a source of evidence in this matter. Any help would be appreciated.
The fact that you're looking for the Hardware hive indicates that you suspect that this image was acquired from a Windows system. A simple query or two (via RegRipper or the Forensic Scanner) will provide you with information regarding the type/version of Windows running.
You won't find the Hardware hive, as it is volatile
http//
You can get some information about the system by parsing the MountedDevices key values within the System hive, as well as examining the setupapi.log or setupapi.dev.log file. The Registry and the Event Logs (again, depending upon the version of the Windows OS) can provide other clues as to the specific hardware on the system.
HTH
In addition to, or instead of, using Regripper to determine Windows version, host name, etc.
Registry Browser (https://
The Registry Browser looks like a cool tool…I'll have to give it a closer look.
However, I'm not sure how getting the USB devices that had been attached to the system would help the OP tie the image to particular hardware.
What I *can* see is using a tool like RegRipper to parse the volume GUIDs in user's MountPoint2 keys, specifically those related to USB devices, in order to get MAC addresses. This could also be achieved by parsing LNK files, or on Windows 7, Jump Lists.
Other bits of information that may be useful, not to tie the image to specific hardware but rather to an owner, would be (via any tool) Registered Org and user values, warnings that pop up when a user tries to log in, etc.
All great stuff…thanks for sharing the link to the tool.
The Registry Browser looks like a cool tool…I'll have to give it a closer look.
However, I'm not sure how getting the USB devices that had been attached to the system would help the OP tie the image to particular hardware.
I know, but I mentioned because the OP made mention of the HARDWARE Hive. Registry Browser does about as much reconstructing of the Hardware environment as can be done without the HARDWARE Hive.
Thanks for all the replies. Yeh, the information I was looking for, as far as I know, only exists in the HARDWARE hive. Such as machine make and model. Not to worry thanks for all the suggestions.
I guess what I'm wondering is why is the make and model so important? There are a bevvy of serial numbers (device, volume, etc) that can tie an image to a disk, and by extension a machine.
Even if the registry said it was a Dell Precision T7500, that may not narrow it down. Where as a serial number (even a volume serial number) could pinpoint an exact machine.
Why is that route not acceptable?
The assumption being that the image was from a laptop I'm assuming?
As far as I'm aware my PC which I built has no make and model ) however the individual components do.