Hi Mr Carvey,
I used c:\winnt\system32\regedt32.exe and then said save as and it gave me
the below results. I believe this is what they described as being the last
write times.
I also noticed you can audit a lot of things in the registry using this
program so I guess you can get a lot more dates and so forth using this.
But this is a pre active approach and most examiners would come to a system
after a crime has occured.
Many regards,
Daniel Heinonen
Computer Sytems Officer
Faculty of Arts
QUT
<<<<<<<<<<<<<< SAMPLE of a key subtree which has been
saved >>>>>>>>>>>>>>>>>>>>>>
Key Name: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Class Name: Processor
Last Write Time: 31/05/01 - 9:43 AM
Value 0
Name: Component Information
Type: REG_BINARY
Data:
00000000 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00 ................
Value 1
Name: Configuration Data
Type: REG_FULL_RESOURCE_DESCRIPTOR
Interface Type: Invalid
Bus Number: -1
Version: 0
Revision: 0
Value 2
Name: FeatureSet
Type: REG_DWORD
Data: 0x3ff
<<<<<<<<<<<<<<<<<<<<< END sample >>>>>>>>>>>>>>>>>>>>>>>>>>>>
At 10:01 AM 30/05/01 -0700, you wrote:
> > Yes, I have used the last write time of the registry
> > files in an
> > investigation.
>
>Yes, that's what I was curious about. There is scant
>little information avaiable on the Internet on the
>subject.
>
>So do you use a third-party product or something
>home-grown to get the LastWrite time?
>
>HC
>
>__________________________________________________
>Do You Yahoo!?
>Get personalized email addresses from Yahoo! Mail - only $35
>a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 11:53:22 PDT