Jump to content











Photo
- - - - -

DumpReg

registry

  • Please log in to reply
64 replies to this topic

#51 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 28 November 2015 - 12:05 PM

Version 0.8

 

- Backup of Components failed

- Restore for All hives gives message failed (window so narrow that I cannot read the complete message)

 

Good that we can make more Backups organised in Date_Time folders.



#52 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 28 November 2015 - 12:56 PM

Stupid type around components :(

Just fixed it... (v0.8.1)

Booting a virtual machine to test the restore.



#53 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 28 November 2015 - 01:20 PM

Version 0.8.2 uploaded :

 

-tested save all on windows 7 x64 : ok

-tested restore all on windows 7x64 : ok


  • wimb likes this

#54 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 28 November 2015 - 02:16 PM

Version 0.8.2 uploaded :

 

-tested save all on windows 7 x64 : ok

-tested restore all on windows 7x64 : ok

 

Tested Backup All and Restore All on fresh installed Win 10.0.10586 x64 : OK :1st:

 

Between Backup and Restore then ImDisk driver was installed by running imdiskinst.exe

After Restore of the Registry then ImDisk registry entries were indeed gone.

 

As can be seen the Backup in RegDump folder remains available.

The exchanged original hives.DATE files and a bunch of empty LOG files are added.

 

[attachment=15804:DumpReg82-Restore-OK-2015-11-28_150059.png]

 

:cheers:

 

For safety it will be good that the program at Restore will test for UserName and CompName (as shown in the parent folder name),

so that a WARNING (OK or Cancel) is given in case of Restore on other (wrong) system.

Such a test is that already done or otherwise do you plan to add such a test ?



#55 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 30 November 2015 - 07:48 AM

Tested Backup All and Restore All on fresh installed Win 10.0.10586 x64 : OK :1st:

 

DumpReg is a very good solution for Backup and Restore of the registry of a running Windows OS,

so that it is not needed to boot with PE for that purpose.

 

Thanks for this handy program. :)

 

Scheduled and silent making automatic Backups after booting Windows can be on the wishlist for further improvement.

The dumpregCMD.exe does NOT create UserName-CompName\Date_Time folder structure,

but simply dumps the registry in the given folder name, in my case e.g. C:\RegDump

 

:cheers:



#56 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 30 November 2015 - 08:58 AM

About the command line, i was wondering indeed if I should implement the logic in there (same as the GUI) or leave that the script/batch experts (looking at Wonko here :whistling: ...).

 

I could easily thus re use the same logic in the command line version : username-computername\date-time ...



#57 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 30 November 2015 - 09:28 AM

Of course script/batch experts can use their own desired folder structure.

 

Scheduled and silent making automatic Backups after booting Windows

in folder structure C:\RegDump\UserName_CompName\Date_Time will be very handy.

It will allow me always to repair quickly a damaged or infected registry by using one of the latest registry Backups.

 

:cheers:



#58 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 November 2015 - 09:40 AM

About the command line, i was wondering indeed if I should implement the logic in there (same as the GUI) or leave that the script/batch experts (looking at Wonko here :whistling: ...).

 

I could easily thus re use the same logic in the command line version : username-computername\date-time ...

Well, nothing prevents you from adding a switch *like*

dumpreg /S folder /ALL /AUTO

 that would make the auto-named sub-folder structure and put the files in it.

Since this would make only real sense when the "ALL" option is selected, it would be just one added switch:

dumpreg /S folder /ALLAUTO

 

:duff:

Wonko



#59 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 November 2015 - 09:54 AM

Adding this note as a new post so that erwan.l has a chance to notice it.

 

I already "sold" :w00t: dumpreg outside of reboot.pro ;):

http://www.forensicf...wtopic/t=13653/

 

and as often happens, a whole new can of worms has been opened, not related to dumpreg but to the (unfinished/to be refined) extents tool:

http://reboot.pro/to...s-now-possible/

 

Once you are fine with dumpreg, it would be nice if you could have a look at extents in the scenario of "in use" or "system locked" files (seemingly even joakims' tools choke on those).

 

:duff:

Wonko



#60 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 30 November 2015 - 10:21 AM

About windows extents and system locked files, note that I uploaded a similar tool a while ago on reboot.pro (see here).

I could make a "true" command line version of this tool and also provide source code.

I believe you can more or less copy any file using this method.

 

This is competing with another method : using windows snapshots.

 

And also competing with registry api's when it comes to deal with registry hives.

 

Different methods, different pros and cons...

 

I need to create myself an account on forensicfocus :)



#61 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 November 2015 - 10:40 AM

About windows extents and system locked files, note that I uploaded a similar tool a while ago on reboot.pro (see here).

I could make a "true" command line version of this tool and also provide source code.

I believe you can more or less copy any file using this method.

 

This is competing with another method : using windows snapshots.

 

Yep :), that (your extents tool) was exactly the reference I posted.

Still, it won't work (at least for me on XP) on pagefile.sys.

At the time joakims accused you of having taken some shortcuts, but it seems like he took the same ones (or other ones) as even his rawcopy tool seemingly doesn't work for pagefile.sys.

 

:duff:

Wonko



#62 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 30 November 2015 - 11:00 AM

I'll dust off my old "extents" tool and will give it a new run on xp 32 as well as on win10 x64.

I was using win7 x32 back then.

 

Backuping pagefile.sys is for forensic purpose "only" right?

 

/Erwan



#63 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 November 2015 - 11:18 AM

I'll dust off my old "extents" tool and will give it a new run on xp 32 as well as on win10 x64.
I was using win7 x32 back then.

Good. :)
 

Backuping pagefile.sys is for forensic purpose "only" right?


Yes, and it is also - between us of course ;) - pretty much useless :w00t: even for it (if we expect to actually find *any* info in it).
The pagefile of a machine with a very low amount of RAM (like less than 1 or maybe 2 Gb for one of the recent bloated MS OS's) will probably contain *something* but a modern machine with plenty of Ram (proportioned to the actual *needs* of a given OS) will NEVER (or almost never) "hit" the pagefile, and, even in the RARE cases the pagefile is actually used by the OS or by some apps, the probability that anything meaningful (and readable/decodable) in it is IMNSHO very, very, VERY low in practice.

Still, in theory, having a copy of the file is useful, in the sense that if you don't have it someone can always state or hint that it most probably did contain *whatever* vital informations that the lack of a copy prevented to acquire.

 

The hiberfil on the other hand (or similar files connected to hibernation/suspend/fast boot) may actually contain something of interest, and there well may be in this or that OS some other files that for similar reasons (locked/in use/whatever) cannot be currently saved through direct disk access.

 

:duff:

Wonko 



#64 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 30 November 2015 - 01:24 PM

A interesting link about the pagefile attack using the ntfs driver : not sure it still works thus (article mentions it works only in XP and was written in 2009) : here.

That probaby applies to the hibernation file as well.

 

Another approach, this time using duplicated handles (amongst other tricks) : here.

 

As a whole, it is probably easier to retrieve these files offline then if for forensic purpose : go to suspended mode and these 2 files are yours offline.

 

Or else building a simple driver using kernel api's (zwcreatefile) and listening to read commands via IOCTL and job done ? 

But this approach is already a bit more agressive to the system (mount driver, start, read extents, stop, unmount driver)

 

But I am deviating from the orginal thread :)



#65 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 30 November 2015 - 01:54 PM

As a whole, it is probably easier to retrieve these files offline then if for forensic purpose : go to suspended mode and these 2 files are yours offline.

Sure it is easier (actually it is so easy that is not even worth a mention) but there are still *needs* for making a copy "online", there are some cases when you CANNOT switch off a system for several reasons, among them the possibility that the system is set to clear pagefile at shutdown via registry or that uses some other mechanism to delete it.

Now REALLY OT, but JFYI:

http://www.msfn.org/...le-at-shutdown/

 

(we'd better continue here: http://reboot.pro/to...s-now-possible/ )

 

:duff:

Wonko







Also tagged with one or more of these keywords: registry

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users