Hi all,
It has been a while since my last big thing. I needed to do some things on a Windows computer due to a problem with the registry hive. For this I have encountered the folowing program:
FRED. This stands for Forensic Registry EDitor. More information about the package you can find here: https://www.pinguin.lu/fred. This program has also deb sources for easy installations on a Debian based Linux installation. It is possible to follow some parts of this guide to also install this on a normal installation in case of a dual boot or an added disk to a other Linux installation.
To use this on a live environment I have used the, now free, ESET SysRescue.
In this manual it will be assumed that:
- There is a ESET SysRescue boot CD or USB available, more you can find here: http://www.eset.com/int/support/sysrescue/
- The Windows C drive will be localy mounted as “/media/LocalDisk2”
Normaly the registry values will be set in the folowing locations:
- HKEY_USERS: \Documents and Setting\User Profile\NTUSER.DAT
- HKEY_USERS\DEFAULT: C:\Windows\system32\config\default
- HKEY_LOCAL_MACHINE\SAM: C:\Windows\system32\config\SAM
- HKEY_LOCAL_MACHINE\SECURITY: C:\Windows\system32\config\SECURITY
- HKEY_LOCAL_MACHINE\SOFTWARE: C:\Windows\system32\config\software
- HKEY_LOCAL_MACHINE\SYSTEM: C:\Windows\system32\config\system
Ok, lets start.
Warning! editing the registry might damage your system, do not do this unless you know what you are doing!
Once you have started the CD make sure you accept the agreement and either disable or enable the extra options for the ESET anti-virus.
Open the Root terminal using the following steps
- Use the menu on the bottom left
- go to accessories
- open Root Terminal
Next we need to add the public key for the deb sources for this installation. please use the following commands for that:
wget http://deb.pinguin.lu/debsign_public.key
apt-key add debsign_public.key
To make sure that the sources.list is edited we need to add an simple text editor. In this example we will make use of “nano”, but you can use any program you perfer to use otherwise. Note that most programs are not installed in the live CD, thus it first needs to be installed.
apt-get update
apt-get install nano
nano /etc/apt/sources.list
In the sources.list you should add the following line:
deb http://deb.pinguin.lu/i386 ./
Save and exit the file. Now we can install the program. Run the folowing commands for that.
apt-get update
apt-get install fred fred-reports
After it is installed go to the location of the registry you would want to open. In this example we will try and open the SOFTWARE hive.
cd /media/LocalDisk2/Windows/System32/config
fred SOFTWARE
As most people know, Linux is case sensitive, and all hives (exept for the user registry’s) are in uppercase make sure you also write it like that.
And we are done!
Untill next time!
ik wil firadisk in hyper-v server core instaleren maar dit lukt niet.
help alstublieft.
Hi Jorg,
Can you tell me exactly what the issue is, since firadisk is more commonly known as “FileDisk/RamDisk”. If this is the issue, make sure you have the drivers installed for this when installing.
If you want to use “FRED” this is a Linux only tool and will only work on Linux Operating system.