Hi,
I was wondering what the best way to dump the registry hives while the system is still running. I've also been considering using the reg save command, but it gives me an error when trying to run it against hku or hklm.
reg save hklm hklm.hive - "Error Access is denied"
reg save hkcu hkcu.hive - works
reg save hkcr hkcr.hive - works
reg save hku hku.hive - "Error Access is denied"
reg save hkcc hkcc.hive - "Error Access is denied"
Strangely enough, dumping them to a .reg file doesn't result in an error.
reg export hklm hklm.reg
reg export hkcu hkcu.reg
reg export hkcr hkcr.reg
reg export hku hku.reg
reg export hkcc hkcc.reg
Any ideas? Also, would you recommend this approach or trying to VSS the corresponding files from the hard drive? Ideally I want to then take these hive files and feed them into RegRipper (thanks keydet89).
FTK Imager is about as easy as it gets.
I get live hives using f-response. I made a youtube video showing analysis using regripper on a live system as well, over an f-response connection.
Thank you for your reply. Regarding using FTK Imager, can you be more precise on what options to use? I don't want to image the entire drive at this stage. I just want to copy the registry hives. Thanks.
On the suspect machine you use FTK Imager and select File -> Obtain Protected Files. In the Obtain System Files Window change the option to Password recovery and all registry files. Or via F-Response (which is a very cool product and Matthew and his group are very responsive) you can use FTK Imager and pull the Registry files from the suspect machine to your Examiner machine.
Awesome. Thanks BitHead )
Thanks gentlemen!
mbrown, if you'd like, we do offer a 30-day risk free trial of F-Response on the website..
http//
Thanks for your interest in F-Response.
If you have any question please don't hesitate to contact me or the team here at F-Response.
Warmest Regards,