Please allow me to introduce myself. Currently I am employed with a local firm specialising in Network and Software Support for other local firms. I form part of a CERT team (Computer Emergency Response Team) whereas one of my duties include cyber investigations for our Information Security and Risk Management Department.
I would like to know whether there are utilities which might help me out in reading the registries or at least the MRU list from Hard disks which have been confiscated due to a suspected PC misuse.

Your assistance is mostly appreciated. You can contact me on my hotmail account at .


There are a lot of possibilities when it comes to this.... first though, since more and more programs are becoming "intelligent", a whole lot of them remember recent files used, so are you looking for a specific MRU (such as for internet explorer, or for the "run" option on the start button)?

Two major solutions are
Pretty Easy:
Just boot the system normally (naturally, if you are concerned that there may be some kind of fail-safe in place or self-destruct code, use the more complicated method, but if you are fairly certain that the system is safe, then you could download something like an MRUViewer [[url]http://www.aftermath.net/~coma/daniweb/mruviewer.zip[/url]]) which allows you to see the IE History, cookies, cache, along with the run MRU.

If you are afraid that the PC which has been taken is equipped to clean up it's mess, or to "self-destruct" when you boot it, then you might want to take this approach.
Assuming that the NTFS drive isn't encrypted, you could boot the PC with a secondary OS from a liveCD (something like Knoppix, PHLAK, or STD). With this in mind, you'll need to be a little bit comfortable using a Unix System, in which you would mount the NTFS hard-drive, and copy the registry files to a portable device, like a floppy, or thumb drive....

If you give me a bit more detail on what you are looking at specifically, I'm sure I could help you further your search....

Thanks for your reply. I will try and use MRUViewer for now. We cloned the HD as we do not want to accidentally erase something or include new datestamps on the original. We are currently using the cloned HD externally. Cheers