Forensic analysis, root-me challenge

What happens

I can’t read subkeys from the registry, using the volatility library in Python

What do you understand or find about that problem

I’m trying to print the value of this subkey located in SYSTEM\ControlSet001\Control\ComputerName\ComputerName, to do this I used the plugin printkey from volatility with the following arguments:

  1. "–hive-offset 0x8b21c008 0x8b21c008". Because after listing all the hives with hivelist, the subkey that I’m looking for is located in this virtual address 0x8b21c008 0x039ef008 \REGISTRY\MACHINE\SYSTEM
  2. "–key ControlSet001\Control\ComputerName\ComputerName". To get the value of the subkeys.

You make any workaround? What did you do?

Whenever I use the full path for the key I get this error The requested key could not be found in the hive(s) searched. The command that I’m using is python -f ~/ch2/ch2.dmp --profile=Win7SP1x86 printkey --key ControlSet001\Control\ComputerName\ComputerName. I’ve also tried enclosing the path of the key with quotation marks.

(Optional) Why fails your workaround?

I’m only able to read the key ControlSet001, using this command python -f ~/ch2/ch2.dmp --profile=Win7SP1x86 printkey --hive-offset 0x8b21c008 --key ControlSet001.


I need help with

I don’t know what I’m doing wrong with the key path.