Home‎ > ‎CIS 77‎ > ‎

Lab: Forensic Imaging and Registry

In this lab you'll create a bootable Linux image to aid you with forensic imaging. You'll use your bootable image to recover registry files on a Windows machine.  


A bootable Linux CD or USB flash drive is the best choice for a forensic examiner working in the field. Linux is free to use and there are many pre-packaged distributions that are ready to be put on a CD. A forensic Linux image can be used to make a forensic copy of the disk or, if the disk is too big, to examine just the data that's of interest. In this lab you'll download a bootable Linux image and use it to find evidence on your own (or the school's) computer. Specifically, you'll examine registry contents that are not available while Windows is running. 

Choose Your Linux

There are several Linuxes you can choose from. They are different sizes and come with slightly different tools (although many are the same). Some (like DEFT) are specifically designed for forensics work. Others (like Kali) are more general-purpose security tools. As a forensic examiner you should learn one or more of these tools to help you with your evidence gathering. 

Kali Linux

Kali is an all-purpose security tool. It combines sophisticated features with ease of use. If you're going to have one Linux live CD for security use, this is the one. Kali has a forensics mode that prevents it from altering data on drives, making it a good choice for a forensic examiner. You can download and install kali using the instructions on their website: 

DEFT Linux 

DEFT Linux is a purpose-build forensics tool. It's very compact making it easy to take around on a flash-key. It lacks many of the features of Kali. DEFT can be booted on a Mac, making it a good all-around tool. 

There are instructions for installing DEFT in your lab manual. The website also has instructions. 


SANS Investigative Forensic Toolkit (SIFT) is a set of Linux tools built on top of the popular Ubuntu distribution. SIFT is designed to be a one-stop forensic workstation, with everything you need to examine evidence. It's a great choice as the operating system for your dedicated forensics computer. Because it's Ubuntu based you can make a Live CD with it but the image will be very large and it's not as simple as the other Linuxes that are meant for incident response. However, if you want to try SANS SIFT you can follow the instructions on their website: 


Commputer Aided Investigative Environment (CAINE) Linux is an Live USB image similar to DEFT. It's purpose is to allow an investigator to collect evidence without altering it. 

Boot Your Live Image on Windows

Once you've picked a forensic Linux tool, boot your computer using it. Use the file browser tool to examine the files on your NTFS volume. Browse to the following path: 


Take a screenshot of the file browser in this location on your hard disk. You can take a screenshot in Linux using the "PrtScr" key. There's also a screenshot tools that will save your screenshot to a file. Look for it in the applications folder of the tool you choose. 

Recover the Registry Hives

Now you have access to hives that aren't accessible when Windows is booted. Make a copy of the following hives onto the Linux desktop:


You can look at those using the forensic tools you're accustomed to.

Save Your Files

You should have a screenshot and three hives. Now you have to save them. There are a few ways to do it. Here' are general instructions for doing so. Which way you use depends on you:

Email Them To Yourself (Easy)

Use the browser in your forensic Linux to email the files to yourself. This is not the way a pro would do it because it's not very confidential. But, it's very easy. 

Copy to Another USB (Easy)

Some of the Linuxes above (like Kali) can create a special area on the flash key that can be read by other OSses. That makes keeping files easy. If you don't have that feature you can always insert a second flash key into the machine and save files there. 

Copy Over the Network (Medium)

If you have a host that is running an SSH server you can copy the files securely over the network using SSH. If you're using a GUI based forensic tool you can enter an SSH destination via a URL into file manager like this:


Or you can use the command line.  

Examine The Registry Hives

Now that you have the registry hives you can load them into a tool to help you see what's in them. You can do this from any OS you feel comfortable in. Examine your hives and answer the following questions:
  1. What version of Windows do you have? (the specific version number) 
  2. What program opens *.docx files?
  3. What is the SID of a non-system user? (Choose one if you have multiple users)
Turn In
  1. A screenshot of your Linux forensic tool.
  2. The three hives you collected. 
  3. Answers to the questions. 
Submit your homework on canvas.


  • 5 points for your screenshot
  • 10 points for you hives
  • 5 points for correct answers