Registry Analysis

Yes, export the hives, there have been free tools posted on this board recently for analysing them. Or there are the commercial variations like FTK registry viewer etc.
(Personally i generally use FTKRV)

Yes you can. You can also use EnCase to 'View File Structure' to see the whole hive in EnCase.

Other useful software includes AccessData Registry Viewer and Windows Registry Analyzer.

Yes, export the hives, there have been free tools posted on this board recently for analysing them. Or there are the commercial variations like FTK registry viewer etc.
(Personally i generally use FTKRV)

Hi Rich, Can you tell me the location of all the hives in an xp machine, I know ntuser.dat was 1 but I have lost my old document which detailed them all. I am interested in testing out these free tools, do you know what they were called?

Yes you can. You can also use EnCase to 'View File Structure' to see the whole hive in EnCase.

Other useful software includes AccessData Registry Viewer and Windows Registry Analyzer.

cheers dficsi….

The ntuser.dat per user under Documents and Settings/username/ for XP for example, then the hives from their windows dir (system32/config) - system,sam,security,default,software.
(One of the free tools posted on here recently http//www.gaijin.at/dlregview.php )

if you have a disk image, you can consider the idea of using plainshght.

it's a liveCD, so eventually you can use it directly on the analized box, but you can also use it on a drive image (raw dd).

this tool makes (imho) a good registry analysis and reports it into a nice and well formatted html report.
this tool is based on regripper.

it reports useful data like USB connected devices, users informations, logons, windows firewall configurations and other things.

www.plainsight.info

Actually, the tool on PlainSight is RegRipper. If you have an .E01 file, all you need to do is open it in FTK Imager and extract the Registry hives, and then download RegRipper from regripper.net.