±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 27628
Visitors: 81

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

..

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4, 5  Next 
  

..

Post Posted: Thu Feb 14, 2013 8:51 am

.....  

Last edited by sverronneau on Tue Dec 02, 2014 7:28 pm; edited 1 time in total

sverronneau
Member
 
 
  

Re: Missing Registry Files...?

Post Posted: Thu Feb 14, 2013 9:48 am

Welcome, first time poster!

- sverronneau
When performing forensics on the image using FTK I noticed I could only pull the NTUSER and software hives, the system, sam, and security were not present on the drive.


I had a hard time parsing the quoted sentence. What could you pull and what was not present? At some point in the sentence it switched; you might try replacing a comma with a semicolon.

Is it possible the drive you're able to access was at one point a boot drive, then was repurposed as a data drive? This sometimes happens when a system is upgraded or when Windows becomes so unstable that the user replaces the system drive but keeps the original for the data. Can you make that determination? What else about the OS was present or missing?
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
  

Re: Missing Registry Files...?

Post Posted: Thu Feb 14, 2013 10:00 am

Steve,

- sverronneau

I am working on a computer forensics case where the computer had two hard drives within it. I removed both from the system following protocol and imaged what was drive "A". When performing forensics on the image using FTK I noticed I could only pull the NTUSER and software hives, the system, sam, and security were not present on the drive. My first assumption was that they would be contained on drive "B", but when I tried to image drive "B" it couldn't be read.... My write block wouldn't even detect the drive (I tried multiple write blocks and PC's).

Does anyone have thoughts, ideas, or answers pertaining to this!?


What was the OS installed on the system? What was the nature of drive A? Is/was it the system drive?

What steps did you use to attempt to retrieve the Registry hives in question? Where did you find the ones you were able to retrieve, and where did you look for the ones you were not able to retrieve?  

keydet89
Senior Member
 
 
  

...

Post Posted: Thu Feb 14, 2013 10:01 am

....  

Last edited by sverronneau on Tue Dec 02, 2014 7:36 pm; edited 1 time in total

sverronneau
Member
 
 
  

Re: Missing Registry Files...?

Post Posted: Thu Feb 14, 2013 10:06 am

Is the "B" drive spinning up? If so is it making any strange noises - clicking or a noise similar to a ping pong ball bouncing?

It could also be that the controller card on the drive has died.

If you can get an identical working drive and swap the controller cards over this may sort the problem out.  

Chris55728
Member
 
 
  

...

Post Posted: Thu Feb 14, 2013 1:33 pm

.....  

Last edited by sverronneau on Tue Dec 02, 2014 7:36 pm; edited 1 time in total

sverronneau
Member
 
 
  

Re: Missing Registry Files...?

Post Posted: Thu Feb 14, 2013 2:15 pm

- sverronneau
The OS is Windows XP. I am assuming that the "A" drive is the system drive. I found them in FTK by plating the whole evidence file and filtering by Registry Files.


The "B" drive does spin up and sounds goods.


It is not a good idea to make assumptions in this profession.

Create a theory, and test it.

A drive might have previously been a system drive, how would you test that?

Or, it might have gotten hit by malware, how would you test that.

Don't assume.  

twjolson
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 5
Go to page 1, 2, 3, 4, 5  Next