I have a raw image (.dd) from a Windows (NTFS) partition. I have to find out when a specific file was created.
To that end I am trying to find the correct timezone that is used on the system.
There should be no need to determine the configured time zone, if your goal is simply to get the file creation time.
NTFS stores file timestamps in UTC. UTC, in turn, has the nice property of being monotonically increasing, and convertible to any known time zone simply by adding or subtracting the time zone offset for the subject's geographical and political location at the time (which you would need to establish through other means).
Also note that any time zone configuration value that you extract from the registry will almost certainly show the currently configured (as of the time of the disk image) time zone, not the time zone configured at the time the file was created. Unless Windows keeps some sort of history of time zone settings, the latter won't be obtainable through the operating system's facilities, including deep digging through the registry.
Just present the file and state that file system metadata for the file in question indicates that when it was created, the computer's real-time clock was set to such-and-such UTC. You can also state that at that time, other evidence links the subject to a certain location, and present that evidence separately. That would establish the subject's location at the time, in turn establishing a reasonable local time zone for the subject at the time, which would allow you to state that in that location at that UTC time, local time was so-and-so.
If your role is simply in digital forensics, I would suggest that you simply present the UTC time as recorded in the file system metadata, and let someone else make any interpretation.
Do note however that any competent attorney would likely quickly point out that file system metadata timestamps do not imply that the file action indicated took place at that specific real-world time. The computer's real-time clock could have been set to literally any value within its valid range at the time the file action took place, and that arbitrary value would be recorded in the file system metadata.
2Your real question seems to be how to open an exported registry system file. That's a Windows admin question and not a security question. If you are asking an autopsy-specific question, then you need to look to vendor-specific sources. – schroeder – 2014-06-17T15:07:20.593
possible duplicate of "Remote" registry editing - Windows 7
– Ƭᴇcʜιᴇ007 – 2014-06-17T15:52:29.427Regedit doesn't always expect a .reg file... you can load remote hive files. 1) Open regedit 2) Click "HKLM" (if HKLM is the area you need to investigate) to highlight it 3) Click "File" 4) Click "Load hive" 5) locate the file you have recovered from the DD image and the file should load within the HKLM tree in regedit for you to browse. – Kinnectus – 2014-06-17T15:57:45.740
What file format is your exported registry system file in? – Lincoln Bergeson – 2014-06-17T16:07:48.640
It's just called system. Not sure what format is. – user2285451 – 2014-06-17T17:08:33.167
So I tried using regedit. But it give me an error. Error loading hive. That's all it's saying. – user2285451 – 2014-06-17T17:08:48.503