RE: Registry Key LastWrite times

From: Troy Larson (tlarsonat_private)
Date: Wed May 30 2001 - 14:27:16 PDT

  • Next message: Frank Heyne: "Re: Registry Key LastWrite times"

    James,
    
    This is a big topic as well as a moving target.  Some of the big picture
    items stay the same, but I have found that different configurations--OS, IE,
    Service Pack, Office--seem to change where some data is kept.  My suggestion
    would be to get Managing the Windows NT Registry by Paul Robichaux
    (O'Reilly, 1998).  The Microsoft Knowledge base is also a good source of
    information.
    
    My approach to the registry is usually to search for specific strings using
    regedit or another good registry editor and see what turns up.
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    AIM Address: WestCoastCFS
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    
    -----Original Message-----
    From: James Chiles [mailto:james.chilesat_private]
    Sent: Wednesday, May 30, 2001 1:36 PM
    To: tlarsonat_private
    Subject: RE: Registry Key LastWrite times
    
    
    Troy,
    
    Do you happen to have a list of common registry keys with meanings that you
    check?  I would be very grateful for any suggestions from your experience.
    Thanks!
    
    Detective James Chiles
    Criminal Intelligence - Computer Crimes
    Oklahoma City Police Department
    701 Colcord Drive
    Oklahoma City, OK 73102-2281
    Office: 405.297.3428
    Fax: 405.297.1686
    Pager: 405.575.4874
    
    
    -----Original Message-----
    From: Troy Larson [mailto:tlarsonat_private]
    Sent: Tuesday, May 29, 2001 8:41 AM
    To: forensicsat_private
    Subject: RE: Registry Key LastWrite times
    
    
    HC,
    
    We regularly conduct reviews of registries in our computer forensics
    investigations.  The registry can be a gold mine of information.  As you
    indicated, the registry contains references to a number of activities and
    can be used to determine the most recent activity on the computer--things
    like the most recently used programs, documents, files etc.  The registry is
    also useful for determining system configuration, should you have to build a
    functional duplicate of a system for data restoration (as you would do, for
    example, for an MS Exchange recovery server).
    
    Troy Larson
    Computer Forensics, Electronic Evidence and Legal Support
    Fiderus Strategic Security and Privacy Services
    (Direct) 425-793-1988
    (Cell) 425-503-5845
    tlarsonat_private
    www.fiderus.com
    ----------------------------------
    24 Hour Emergency Response Hotline
    1-877-595-8491
    ----------------------------------
    
    
    
    -----Original Message-----
    From: keydet89at_private [mailto:keydet89at_private]
    Sent: Wednesday, May 23, 2001 7:52 AM
    To: forensicsat_private
    Subject: Registry Key LastWrite times
    
    
    Has anyone used the LastWrite times of a
    Registry keys as part of an incident
    investigation?  Several keys in the HKLM and
    HKCU hives are updated when certain activity
    occurs (such as using the telnet.exe
    application)...so has anyone used this
    information when investigating a security
    incident?
    
    Thanks,
    
    HC
    



    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 09:10:15 PDT