OOPS, my mistake. I was sure I got it from sysinternals. I searched and found it here
http://unxutils.sourceforge.net/ For Netcat for Windows go here http://www.extremetech.com/article2/0,3973,35366,00.asp Apologises to all for that. Once you have the directory and want to analise it the best tool I found to work with this DD image file is @stake autopsy. Found at http://www.atstake.com/research/tools/autopsy/ Excellent tool. On the registry file, if you bring your registry file from the /NTPartition/winnt/repair or /NTPartition/winnt/system32/config to a windows machine and use regedit as follows 1) Open REGEDT32 and select the root key of HKEY_LOCAL_MACHINE. 2) Select Registry > Load Hive. 3) You can now select the offline registry file (e.g., recently copied over registry file). 4) REGEDT32 now asks for the key name to place the Registry hive into. Call it 'suspect'. The hive now shows up in the Registry tree and can be viewed as any normal hive. OR You can clone the disk and boot your new system to view the registry the normal way. Another method worth being aware of is this little beauty http://home.eunet.no/~pnordahl/ntpasswd/ I'm not sure what scenerio you would use this in a far as forensics is involved but a handy tool in any arsenal. No good on raided system last time I tried it. Hope this helps and sorry again for the misdirection to sysinternals. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: H C [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 13:49 To: [EMAIL PROTECTED] Subject: RE: tools used to examine a computer As Trevor pointed out, files such as this one provide quite a bit of detail regarding setting all of this up: http://www.rajeevnet.com/hacks_hints/os_clone/os_cloning.html > Go to www.sysinternals.com and get the Unix Utils which > will include dd and netcat for Windows SysInternals? Could you provide a more explicit link? I'm pretty familiar w/ the SysInternals site, and I'm even looking there now...and I can't find these Unix Utils you're mentioning. > Now when you cd into the /NTPartition directory you > will see all the files from your NT machine. Yes > inclusing the sam files etc. Now, the big question is...once you've got all of these files on the Linux system, what tools do you use to view the contents of some of the binary files...such as the Registry? __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************************