RE: Registry Key LastWrite times

From: Medina, Patricia L. (plmedinat_private)
Date: Wed May 30 2001 - 08:49:20 PDT

  • Next message: H C: "RE: Registry Key LastWrite times"

    Guys,
    
    HKCU\Identities\{class id number}\Software\Microsoft\Outlook\Rules\MRU List
    HKEY_CURRENT_USER\InstallLocationsMRU
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6756A641-DE71-11d0-831B-00AA005B4
    383}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User
    Settings\PowerPoint\Options
    HKEY_USERS\.Default\InstallLocationsMRU
    HKEY_USERS\.Default\Software\Microsoft\FrontPage\Explorer\Navigation\MRUList
    HKEY_USERS\.Default\Software\Microsoft\MSE\9.0\FileMRUList
    HKEY_USERS\.Default\Software\Microsoft\MSE\9.0\MenuMRUList
    HKEY_USERS\.Default\Software\Microsoft\MSE\9.0\ProjectMRUList
    HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Access\Settings\MRU1
    HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft
    Excel\defFileMRU
    
    and so on, for each app.  Just do a search for MRU in the registry. Lots of
    interesting stuff.
    
    Patti Medina
    AT&T Solutions at McDermott Intl (CNE/MCSE)
    
    -----Original Message-----
    From: VanMeter, John [mailto:John.VanMeterat_private]
    Sent: Wednesday, May 30, 2001 5:28 AM
    To: 'tlarsonat_private'; forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    What subkeys under HKLM and HKCU contains this gold mine of information?
    
    v/r
    John van Meter
    
    -----Original Message-----
    From: Troy Larson [mailto:tlarsonat_private]
    Sent: Tuesday, May 29, 2001 9:41 AM
    To: forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    HC,
    
    We regularly conduct reviews of registries in our computer forensics
    investigations.  The registry can be a gold mine of information.  As you
    indicated, the registry contains references to a number of activities and
    can be used to determine the most recent activity on the computer--things
    like the most recently used programs, documents, files etc.  The registry is
    also useful for determining system configuration, should you have to build a
    functional duplicate of a system for data restoration (as you would do, for
    example, for an MS Exchange recovery server).
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    
    -----Original Message-----
    From: keydet89at_private [mailto:keydet89at_private]
    Sent: Wednesday, May 23, 2001 7:52 AM
    To: forensicsat_private
    Subject: Registry Key LastWrite times
    
    
    Has anyone used the LastWrite times of a
    Registry keys as part of an incident
    investigation?  Several keys in the HKLM and
    HKCU hives are updated when certain activity
    occurs (such as using the telnet.exe
    application)...so has anyone used this
    information when investigating a security
    incident?
    
    Thanks,
    
    HC
    



    This archive was generated by hypermail 2b30 : Wed May 30 2001 - 12:36:09 PDT