live acquisition for registry

Not a stupid question at all. Use FTK Imager Lite to capture the RAM from your live subject.

You would then examine the memory dump using the Volatility Framework to extract the hives of interest. This list of Volatility plug ins should also help. Volatility is not really for beginners but once you learn how to use it it'll become invaluable in extracting artefacts from RAM.

thanks for the tips jonathan, is there any small tools i can extract registry hives quickly? to image a disk for just a set of registry key is a bit of waste of time (this steps may take over half and hour for just a 30g disk)

Also, i want to ask which plugin i shall use in order to read the 'default' key other then the 5 registry key ntuser, sam, security, software & system? I have read some post said also include the 'default' but which plugin file should i select when i use rr.exe to extract? there is only 5 types. Should i use the 'all'?)

Thirdly, i experience inconsistence result after i run rr.exe in some plugin. The registry key is over 50K, in my case is the 'software' key, the regripper generate only a very short report which include just some heading and i have to extract from the image again in order to get the correct one. the second time i extract, the report generate some strange ascii, and in the 3rd times its become normal.

i understand that there is a small windows in rr.exe to notice the process it did, but i want to ask is someone know how to assure that i extract it right at the first place??

thank you in advance.

From reading your post it sounds like you might not have much registry experience. You should check out Windows Registry Forensics by Harlan Carvey (new as of Feb 2011). It's a good book, and it sounds like it would be very useful for you. You can get a Kindle version of it so you could start reading in a few mins. after downloading the Kindle App for your PC.

http//www.amazon.com/Windows-Registry-Forensics-Advanced-ebook/dp/B004JN0CDO/ref=tmm_kin_title_0?ie=UTF8&m=AG56TWVU5XWC2&qid=1299542724&sr=8-1

Hope this helps. He talks about various tools, etc.

thanks for the reply MrWh1t3, unfortunatelly i am in China which is not allow to to this option right now.

thanks anyway.

From reading your post it sounds like you might not have much registry experience. You should check out Windows Registry Forensics by Harlan Carvey (new as of Feb 2011). It's a good book, and it sounds like it would be very useful for you. You can get a Kindle version of it so you could start reading in a few mins. after downloading the Kindle App for your PC.

http//www.amazon.com/Windows-Registry-Forensics-Advanced-ebook/dp/B004JN0CDO/ref=tmm_kin_title_0?ie=UTF8&m=AG56TWVU5XWC2&qid=1299542724&sr=8-1

Hope this helps. He talks about various tools, etc.

WRF does not go into how to capture Registry files from memory. He does, however, point to other sources. (which, of course, I can not find right now).

For the sake of clarity, you are asking to capture registry files from memory, or are you asking to capture registry files from a running system?

The first is possible, but I've had little luck with the weak attempt I managed, and there is no 'small tool' that will do it quick and easy for you. The procedure basically is to capture memory (such as with FTK Imager) and then run Volatility and Regripper.

The second (Which in my opinion is what most mean when they say they want to capture the registry of a live system) is fairly simple, if you open FTK Imager, there is a button to 'Obtain Protected Files', which will grab all the registry files from the disk. Since you seem interested in the default hive, which isn't volatile, this is the best option. Windows should keep the disk copy relatively up to date with whats in memory.

Now, regarding which plug in to use. The ones you list (ntuser, sam, security, etc) are just a collection of plug ins. There are actually neigh on 200 plugins that seek individual (or a handful) of keys and output results. The ones you list are just those classified to those hives. I am, however, unsure there are any plugins that seek information from the default hive, nor have I heard of any forensically important values within that hive. If I am correct, that means that you will have to open up some sort of registry viewer, and find the information you seek manually.

Have you tried using the "Obtain Protected Files" function of Imager? Select that and then the option for All Registry files.

stupid am i. the "obtain protected files" is just right in front of you.

thank you both of you for pointing me right direction.

cheers,

stupid am i. the "obtain protected files" is just right in front of you.

thank you both of you for pointing me right direction.

cheers,

Nothing stupid about your question or what you discovered. It can take some time to get used to forensic tools especially as developers like Access Data add more functionality to even their free tools such as FTK Imager.

Keep in mind that these tools are exactly being designed for a specific technical reason so there isn't a tremendous amount of developmental work going into making a easy to use user interface. We have a lot of great digital forensic tools out there, but they can be somewhat complicated to learn especially if the user is new to the field.

thank you for all of you.
this forum is so good. i am sure will come more often.
in fact i just came across a so called 'military base' (according to the man i ve meet) malware developed by Chinese military. a non market product.

i so happen to have chance to obtain a copy for a short period of time and i will start another post here to see if i can get some advise what should i do to examine this malware.