RE: Registry Key LastWrite times

From: Troy Larson (tlarsonat_private)
Date: Wed May 30 2001 - 05:52:22 PDT

  • Next message: daniel heinonen: "Re: Help any MAC users!"

    John,
    
    The gold mine depends on what you are looking for, whether it exists, and
    whether its existence is important.
    
    Where to look is not an easy question to answer--I have found that different
    versions of OS/Office/IE cause things to be stored in different places.  I
    usually have some idea in mind about what I am looking for when I review a
    registry.  For example, when I see a file extension I don't recognize, I can
    see if it is listed in HKLM\Software\classes.  If I am restoring an MS
    Exchange system, I would want to check the
    HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeMTA\Parameters key so that
    I can get the configuration right. The registry can tell you the version and
    service pack level of OS you are dealing with at
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion (NT machines).  You can
    also find the build dates of applications in the registry.  If you are
    examining event logs using the .evt files from an evidentiary image, then
    you will have to review the event log keys from the subjects's registry to
    identify the .dll's responsible for generating the event descriptions.
    These keys are at HKLM\SYSTEM\ControlSet001\Services\Eventlog.
    
    I often check the registry to determine installed applications--especially
    if I suspect utilities, such as wiping utilities, that can impact the
    recovery of data.
    
    Finally, there is often information about the last used programs, the last
    searches, or the last viewing of various files.  For example, run a search
    for .jpg in regedit to see, among other things, a listing of the most
    recently viewed *.jpg files.
    
    Generally, I would search for the name of a program or extension rather that
    looking at specific keys, since it appears that the placement of things is
    not the same in all systems.
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    AIM Address: WestCoastCFS
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    
    -----Original Message-----
    From: VanMeter, John [mailto:John.VanMeterat_private]
    Sent: Wednesday, May 30, 2001 3:28 AM
    To: 'tlarsonat_private'; forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    What subkeys under HKLM and HKCU contains this gold mine of information?
    
    v/r
    John van Meter
    
    -----Original Message-----
    From: Troy Larson [mailto:tlarsonat_private]
    Sent: Tuesday, May 29, 2001 9:41 AM
    To: forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    HC,
    
    We regularly conduct reviews of registries in our computer forensics
    investigations.  The registry can be a gold mine of information.  As you
    indicated, the registry contains references to a number of activities and
    can be used to determine the most recent activity on the computer--things
    like the most recently used programs, documents, files etc.  The registry is
    also useful for determining system configuration, should you have to build a
    functional duplicate of a system for data restoration (as you would do, for
    example, for an MS Exchange recovery server).
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    
    -----Original Message-----
    From: keydet89at_private [mailto:keydet89at_private]
    Sent: Wednesday, May 23, 2001 7:52 AM
    To: forensicsat_private
    Subject: Registry Key LastWrite times
    
    
    Has anyone used the LastWrite times of a
    Registry keys as part of an incident
    investigation?  Several keys in the HKLM and
    HKCU hives are updated when certain activity
    occurs (such as using the telnet.exe
    application)...so has anyone used this
    information when investigating a security
    incident?
    
    Thanks,
    
    HC
    



    This archive was generated by hypermail 2b30 : Wed May 30 2001 - 07:33:18 PDT