Labels
Labels:

Accessing registry hives in FTK Imager

Accessing registry hives in FTK imager (Windows systems)
This tutorial will be based on using your physical machine

You will need:
FTK imager
A windows physical machine
Registry viewer
Firstly, you will need to open ftk imager

Once opened you will need to navigate to the file tab and click add evidence item
Tip- there is also the option to add just under the file tab
You will then have the following options, we will be picking logical drive
You will then be presented the option of which drive you want to select from
We will be using the C:\ drive as this is our physical computer, we know contains system32

Now you will have loaded the logical image in to FTK imager
Navigating through Root- Windows- System 32- Config will show us all the registry in pictures
So I expanded the root
Then navigated until I found
I then navigated until I found system32
Note: system32 is a child directory of Windows, so expanding Windows will reveal it
Alternatively, you can just click on windows and look at the right screen until you find it
Click on System32 and then search for config
We now can search for the registry files, we want the following
DEFAULT
SAM
Security
Software
System
Now that we have located them we need to save them as files so that another app can read and makes sense of them
To do this simply right-click on the hive and then export

Save these in a folder that you will remember!
Note: under export files is the hash list
This is important to do as you want to be able to prove that you did not change anything
I have chosen to show you with the SYSTEM
Heres what was exported
Registry viewer
So, now that we have the hive file we need to view it, but how?
Open this app
As soon as it opens, go to the file tab and then open, locate your hive file and open it

You should be given the following view
You will now be able to explore, but we will save this for a later tutorial
BUT WAIT
What if I have changed the image file since pulling it? Simply try again, but make a hash before exporting, once exported and then after it has been loaded
I used another system file and after it gave me the following

Meaning that it is a match and therefore will be upheld were it to go to court!

Note: Remember ACPO guidelines state that images should not be changed.

Comments

Post a Comment