HC, We regularly conduct reviews of registries in our computer forensics investigations. The registry can be a gold mine of information. As you indicated, the registry contains references to a number of activities and can be used to determine the most recent activity on the computer--things like the most recently used programs, documents, files etc. The registry is also useful for determining system configuration, should you have to build a functional duplicate of a system for data restoration (as you would do, for example, for an MS Exchange recovery server). Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: keydet89at_private [mailto:keydet89at_private] Sent: Wednesday, May 23, 2001 7:52 AM To: forensicsat_private Subject: Registry Key LastWrite times Has anyone used the LastWrite times of a Registry keys as part of an incident investigation? Several keys in the HKLM and HKCU hives are updated when certain activity occurs (such as using the telnet.exe application)...so has anyone used this information when investigating a security incident? Thanks, HC
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 17:28:02 PDT