IMG="./nps-2008-jean.E01"
WINPARTS=""
TMPDIRS=""
Grab the partitions as CSV but ignore unallocated and “meta”-partitions.
<<vars>>
mmls -a -M $IMG | tail -n+5 | cut -c 7- | sed 's/\s\{2,\}/,/g'
Retrieve the partition offsets by slicing out the second field and skipping the header-row.
(Note: Using csvkit
could be more convenient here: csvcut -c
Start
)
<<mmls-csv>> | cut -f2 -d',' | tail -n+2
Now, loop over the retrieved offsets and check with fls
whether
there %SYSTEMROOT%
(the Windows-directory) is present, which is a
strong indicator that it is a Windows-Partition. If it is there,
output the offset to this partition
<<offsets>> | \
while read OFF; do \
DIRS=$(fls -o $OFF -D $IMG); \
grep -q -i "windows" <<< $DIRS && WINPARTS="${WINPARTS}${OFF}\n" \
done; echo $WINPARTS
<<winparts>> |
while read OFF; do \
# Skip empty lines
[[ -z $OFF ]] && continue; \
# Create tmp dir
TMP=$(mktemp -d -t regXXXX); \
TMPDIRS="${TMPDIRS}${TMP}"; \
# Extract hives
fcat -o $OFF WINDOWS/system32/config/SYSTEM $IMG > $TMP/SYSTEM; \
fcat -o $OFF WINDOWS/system32/config/SECURITY $IMG > $TMP/SECURITY; \
fcat -o $OFF WINDOWS/system32/config/SOFTWARE $IMG > $TMP/SOFTWARE; \
done; echo $TMPDIRS
To install regripper, get the .deb
from Debian’s unstable package
archives here and install it via sudo apt install
./Downloads/regripper_3.0\~git20210405.05ef957+dfsg1-1_all.deb
Then, run it on every extracted hive:
<<hives>> | while read DIR; do \
regripper -r $DIR/SYSTEM -a; \
regripper -r $DIR/SECURITY -a; \
regripper -r $DIR/SOFTWARE -a; \
done;