RE: Registry Key LastWrite times

From: Troy Larson (tlarsonat_private)
Date: Wed May 30 2001 - 09:59:56 PDT

  • Next message: Frank Heyne: "RE: Determining if someone copied file to a: drive"

    Mr. HC,
    
    Yes, I have used the last write time of the registry files in an
    investigation.  On machines with multiple profiles, the last written date of
    the registry hive files particular to a specific user can be important to
    determine whether the information in those files as been changed.  That was
    axiomatic, sorry.
    
    Example:  NT system was seized on a particular date.  System admin says she
    booted the system with admin account and searched the system.  The NTUser
    file for the suspect (not the admin) on the machine, however, shows a last
    written date after the seizure.  The evidentiary value of the registry data
    relating to last accesses and searches is now problematic, because the last
    written date shows the evidence was possibly modified after the seizure.
    
    If you have a particular issue in mind, feel free to contact me directly.
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    AIM Address: WestCoastCFS
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    -----Original Message-----
    From: keydet89at_private [mailto:keydet89at_private]
    Sent: Wednesday, May 30, 2001 3:49 AM
    To: forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    Thanks for the response, Troy.  However, my
    question still stands:
    
    >...so has anyone used this
    > information when investigating a security
    > incident?
    
    Your response never addressed the issue of
    LastWrite times directly.  I ask about this
    particular topic, as I'm curious if it's ever been
    used as evidence in a security incident, and if
    so, what are the particulars.
    
    Thanks.
    
    HC
    



    This archive was generated by hypermail 2b30 : Wed May 30 2001 - 14:20:47 PDT