James, This is a big topic as well as a moving target. Some of the big picture items stay the same, but I have found that different configurations--OS, IE, Service Pack, Office--seem to change where some data is kept. My suggestion would be to get Managing the Windows NT Registry by Paul Robichaux (O'Reilly, 1998). The Microsoft Knowledge base is also a good source of information. My approach to the registry is usually to search for specific strings using regedit or another good registry editor and see what turns up. Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com AIM Address: WestCoastCFS ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: James Chiles [mailto:james.chilesat_private] Sent: Wednesday, May 30, 2001 1:36 PM To: tlarsonat_private Subject: RE: Registry Key LastWrite times Troy, Do you happen to have a list of common registry keys with meanings that you check? I would be very grateful for any suggestions from your experience. Thanks! Detective James Chiles Criminal Intelligence - Computer Crimes Oklahoma City Police Department 701 Colcord Drive Oklahoma City, OK 73102-2281 Office: 405.297.3428 Fax: 405.297.1686 Pager: 405.575.4874 -----Original Message----- From: Troy Larson [mailto:tlarsonat_private] Sent: Tuesday, May 29, 2001 8:41 AM To: forensicsat_private Subject: RE: Registry Key LastWrite times HC, We regularly conduct reviews of registries in our computer forensics investigations. The registry can be a gold mine of information. As you indicated, the registry contains references to a number of activities and can be used to determine the most recent activity on the computer--things like the most recently used programs, documents, files etc. The registry is also useful for determining system configuration, should you have to build a functional duplicate of a system for data restoration (as you would do, for example, for an MS Exchange recovery server). Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: keydet89at_private [mailto:keydet89at_private] Sent: Wednesday, May 23, 2001 7:52 AM To: forensicsat_private Subject: Registry Key LastWrite times Has anyone used the LastWrite times of a Registry keys as part of an incident investigation? Several keys in the HKLM and HKCU hives are updated when certain activity occurs (such as using the telnet.exe application)...so has anyone used this information when investigating a security incident? Thanks, HC
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:10:15 PDT