Hello fellow Forensic practitioners! I have no documented computer work experience, I have had one class apart from my gened which was Visual Basic (learned that my favorite command was me.close). I am a college student in between semesters and trying to learn what and where the Windows registry is, what it contains, and how to read it. So far I am making AWESOME progress! So far I have, are you ready for it? Waaait for it…..OPENED IT THROUGH THE CMD LINE USING REGEDIT!!! lol. So now that I have this tree of keys and sub-keys I keep trying to open sub-keys and it either shows me a box with Value Name and Value Data, or it shows me a hexadecimal filled box that I can copy, but I cant paste in any program in order to get it translated into something I can at least read if nothing else. I have read multiple posts about how valuable the registry is and the gold-mine in can turn out to be. So far the only thing I've ran into while digging through my comp is the septic tank full of..well you get the idea. Please feel free to tell me what it is that I am looking at or how in the world to interpret it into something tangible. Also, just out of curiosity and off topic, can anyone tell me if the computer I have is going to be good enough for practicing forensics. I think it might be far more capable of doing great things if in the right hands? Thank you for all the help!
Sincerely,
Jerry
Windows 7 Home Premium 64-bit
Acer Aspire x1420G-U5832
AMD Athlon IIx4 645 quad-core processor
1TB HD
4GB DDR3 Mem.
Until you are making money with your computer, what you have is fine.
As for the Registry, start HERE.
Once you get through those 16 pages, honestly I would Google "registry forensics" and start reading.
Then Google "regripper". Download the tool and start playing with it to see how the things you read previously fit.
I will say that the Registry will make more sense the more you learn about general computing.
Thank you very much, Bithead, for reaching your hand out to help me. It's because of people like you reaching out to help people like me, that keeps us striving forward to learn more and to stay focused so we may some day be as worthy. I'll return and update the post as I learn the registry so other beginners in a similar situation may be able to use this information as well! And, thank you for replying to the off topic computer spec. question as well.
Thanks again Bithead, you're awesome!
Respectfully,
Jerry D
If you don't mind spending some coin, I would highly recommend Windows Registry Forensics by Harlan Carvey (if you want to concentrate solely on the registry), otherwise I would recommend Windows Forensic Toolkit by Harlan Carvey if you want a full view of Windows forensics.
Your pictures are not viewable. So I can not answer your questions.
Also, in regards for practicing. Your computer is fine. I would recommend SIFT Workstation by SANS. If your computer can run VMWare (Workstation or Player), or run it as a LiveCD. Since you are not afraid of the commandline, it will be invaluable to you. It does have some GUI programs (all free) as well.
SIFT is a good lesson that you don't have to spend thousands of dollars to practice computer forensics.
Please feel free to tell me what it is that I am looking at or how in the world to interpret it into something tangible.
Sorry, can't see what you uploaded…
…can anyone tell me if the computer I have is going to be good enough for practicing forensics. I think it might be far more capable of doing great things if in the right hands?
It's fine. You'd be surprised at what someone with some knowledge and experience can do with that system.
You'd be surprised at what someone with some knowledge and experience can do with that system.
… or even a much less recent/powerful one wink
or it shows me a hexadecimal filled box that I can copy, but I cant paste in any program in order to get it translated into something I can at least read if nothing else.
What if the *any* program is a Hex editor?
(most hex editors will accept as "paste" "hex text")
jaclaz"
Thank you guys so much! I tried for 2-3 days to reply back to the responses but FF kept trying to get me to log in, even though I was already logged in here. Then when I would log in "again", it would send me to my profile page. So anyway, I am finally able to get back in here and I wanted to say thanks to everyone for helping me out. I downloaded SANS Sift Workstation and I launch it via a VMWare Player. However, when I try to change the appearance of the workstation through the settings, nothing will open afterwards. I try to open a program through the GUI menu and I see it's loading at the bottom task bar, the screen flashes one time very quickly, and then nothing else happens. No program opens, no error message, Nada, zilch, kaput. Can't change appearance I guess. As soon as I reload the Workstation, I should be able to dig around and discover some usable tools I'm sure. Thanks again and I look forward to seeing you all in the forums.
Jerry