How to open a raw registry file (taken from another computer)?

1

I am working on digital forensic investigation case (not a real one obviously) and I have a raw image (.dd) from a Windows (NTFS) partition. I have to find out when a specific file was created.

To that end I am trying to find the correct timezone that is used on the system.

What I have done so far is use Autopsy to export the registry system file (\system32\config\system), since that is where that piece of information is stored.

But I can't figure out how to read that file. Regedit won't work, since it expects a .reg file. Is there a way to read the registry system file?

EDIT:

So I tried using regedit. But it give me an error. Error loading hive. That's all it's saying.

user2285451

Posted 2014-06-17T15:04:41.330

Reputation: 13

2Your real question seems to be how to open an exported registry system file. That's a Windows admin question and not a security question. If you are asking an autopsy-specific question, then you need to look to vendor-specific sources. – schroeder – 2014-06-17T15:07:20.593

possible duplicate of "Remote" registry editing - Windows 7

– Ƭᴇcʜιᴇ007 – 2014-06-17T15:52:29.427

Regedit doesn't always expect a .reg file... you can load remote hive files. 1) Open regedit 2) Click "HKLM" (if HKLM is the area you need to investigate) to highlight it 3) Click "File" 4) Click "Load hive" 5) locate the file you have recovered from the DD image and the file should load within the HKLM tree in regedit for you to browse. – Kinnectus – 2014-06-17T15:57:45.740

What file format is your exported registry system file in? – Lincoln Bergeson – 2014-06-17T16:07:48.640

It's just called system. Not sure what format is. – user2285451 – 2014-06-17T17:08:33.167

So I tried using regedit. But it give me an error. Error loading hive. That's all it's saying. – user2285451 – 2014-06-17T17:08:48.503

Answers

0

I have a raw image (.dd) from a Windows (NTFS) partition. I have to find out when a specific file was created.

To that end I am trying to find the correct timezone that is used on the system.

There should be no need to determine the configured time zone, if your goal is simply to get the file creation time.

NTFS stores file timestamps in UTC. UTC, in turn, has the nice property of being monotonically increasing, and convertible to any known time zone simply by adding or subtracting the time zone offset for the subject's geographical and political location at the time (which you would need to establish through other means).

Also note that any time zone configuration value that you extract from the registry will almost certainly show the currently configured (as of the time of the disk image) time zone, not the time zone configured at the time the file was created. Unless Windows keeps some sort of history of time zone settings, the latter won't be obtainable through the operating system's facilities, including deep digging through the registry.

Just present the file and state that file system metadata for the file in question indicates that when it was created, the computer's real-time clock was set to such-and-such UTC. You can also state that at that time, other evidence links the subject to a certain location, and present that evidence separately. That would establish the subject's location at the time, in turn establishing a reasonable local time zone for the subject at the time, which would allow you to state that in that location at that UTC time, local time was so-and-so.

If your role is simply in digital forensics, I would suggest that you simply present the UTC time as recorded in the file system metadata, and let someone else make any interpretation.

Do note however that any competent attorney would likely quickly point out that file system metadata timestamps do not imply that the file action indicated took place at that specific real-world time. The computer's real-time clock could have been set to literally any value within its valid range at the time the file action took place, and that arbitrary value would be recorded in the file system metadata.

a CVn

Posted 2014-06-17T15:04:41.330

Reputation: 26 553

Alright, thanks for this. And do you know if forensic suites (prodiscover, FTK, Autopsy) show the UTC timestamps? Meaning that I can say that the file was probably created at the time shown in the forensic suite? – user2285451 – 2014-06-17T18:01:58.637

@user2285451 I'm not familiar with those pieces of software, however it sounds like that could make a decent question on its own. I would expect them to show specifically what is on disk, however, which in the case of NTFS file systems would imply that file times are in UTC. – a CVn – 2014-06-17T18:48:12.463

That said, if you found this answer helpful in answering your question, consider upvoting it by clicking the up arrow in the left-hand column. If you feel this answer properly addresses all your concerns or was instrumental in resolving your issue, consider accepting it by clicking the checkmark outline in the left-hand column, below the voting arrows. Accepting an answer informs the community that you feel your issue has been resolved, and is the customary way of saying thank you on Super User and the Stack Exchange network. – a CVn – 2014-06-17T18:48:41.830

Asked: 2014-06-17T15:04:41.330

Viewed: 5 691 times

Active: 2018-08-29T21:11:16.347