RE: tools used to examine a computer

["Trevor Cushen" <Trevor.Cushen () sysnet ie>]

OOPS, my mistake.  I was sure I got it from sysinternals.  I searched
and found it here

http://unxutils.sourceforge.net/

For Netcat for Windows go here

http://www.extremetech.com/article2/0,3973,35366,00.asp

Apologises to all for that.

Once you have the directory and want to analise it the best tool I found
to work with this DD image file is @stake autopsy.  Found at

http://www.atstake.com/research/tools/autopsy/

Excellent tool.

On the registry file, if you bring your registry file from the
/NTPartition/winnt/repair or /NTPartition/winnt/system32/config to a
windows machine and use regedit as follows

1) Open REGEDT32 and select the root key of HKEY_LOCAL_MACHINE. 

2) Select Registry > Load Hive. 

3) You can now select the offline registry file (e.g., recently copied
over registry file). 

4) REGEDT32 now asks for the key name to place the Registry hive into.
Call it 'suspect'. 

The hive now shows up in the Registry tree and can be viewed as any
normal hive. 

OR 

You can clone the disk and boot your new system to view the registry the
normal way.

Another method worth being aware of is this little beauty
http://home.eunet.no/~pnordahl/ntpasswd/

I'm not sure what scenerio you would use this in a far as forensics is
involved but a handy tool in any arsenal.  No good on raided system last
time I tried it.

Hope this helps and sorry again for the misdirection to sysinternals.

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: 25 February 2003 13:49
To: security-basics () securityfocus com
Subject: RE: tools used to examine a computer


As Trevor pointed out, files such as this one provide
quite a bit of detail regarding setting all of this
up:

http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html

> Go to www.sysinternals.com and get the Unix Utils
which 
> will include dd and netcat for Windows

SysInternals?  Could you provide a more explicit link?
 I'm pretty familiar w/ the SysInternals site, and I'm
even looking there now...and I can't find these Unix
Utils you're mentioning.

> Now when you cd into the /NTPartition directory you
> will see all the files from your NT machine.  Yes
> inclusing the sam files etc.

Now, the big question is...once you've got all of
these files on the Linux system, what tools do you use
to view the contents of some of the binary
files...such as the Registry?




__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************