Mr. HC, Yes, I have used the last write time of the registry files in an investigation. On machines with multiple profiles, the last written date of the registry hive files particular to a specific user can be important to determine whether the information in those files as been changed. That was axiomatic, sorry. Example: NT system was seized on a particular date. System admin says she booted the system with admin account and searched the system. The NTUser file for the suspect (not the admin) on the machine, however, shows a last written date after the seizure. The evidentiary value of the registry data relating to last accesses and searches is now problematic, because the last written date shows the evidence was possibly modified after the seizure. If you have a particular issue in mind, feel free to contact me directly. Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com AIM Address: WestCoastCFS ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: keydet89at_private [mailto:keydet89at_private] Sent: Wednesday, May 30, 2001 3:49 AM To: forensicsat_private Subject: RE: Registry Key LastWrite times Thanks for the response, Troy. However, my question still stands: >...so has anyone used this > information when investigating a security > incident? Your response never addressed the issue of LastWrite times directly. I ask about this particular topic, as I'm curious if it's ever been used as evidence in a security incident, and if so, what are the particulars. Thanks. HC
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 14:20:47 PDT