Hi Mr Carvey, I used c:\winnt\system32\regedt32.exe and then said save as and it gave me the below results. I believe this is what they described as being the last write times. I also noticed you can audit a lot of things in the registry using this program so I guess you can get a lot more dates and so forth using this. But this is a pre active approach and most examiners would come to a system after a crime has occured. Many regards, Daniel Heinonen Computer Sytems Officer Faculty of Arts QUT <<<<<<<<<<<<<< SAMPLE of a key subtree which has been saved >>>>>>>>>>>>>>>>>>>>>> Key Name: HARDWARE\DESCRIPTION\System\CentralProcessor\0 Class Name: Processor Last Write Time: 31/05/01 - 9:43 AM Value 0 Name: Component Information Type: REG_BINARY Data: 00000000 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00 ................ Value 1 Name: Configuration Data Type: REG_FULL_RESOURCE_DESCRIPTOR Interface Type: Invalid Bus Number: -1 Version: 0 Revision: 0 Value 2 Name: FeatureSet Type: REG_DWORD Data: 0x3ff <<<<<<<<<<<<<<<<<<<<< END sample >>>>>>>>>>>>>>>>>>>>>>>>>>>> At 10:01 AM 30/05/01 -0700, you wrote: > > Yes, I have used the last write time of the registry > > files in an > > investigation. > >Yes, that's what I was curious about. There is scant >little information avaiable on the Internet on the >subject. > >So do you use a third-party product or something >home-grown to get the LastWrite time? > >HC > >__________________________________________________ >Do You Yahoo!? >Get personalized email addresses from Yahoo! Mail - only $35 >a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 11:53:22 PDT