RE: Registry Key LastWrite times

From: Troy Larson (tlarsonat_private)
Date: Thu May 31 2001 - 13:30:19 PDT


Mr. HC, et al,

Per the previous post from Daniel Heinonen, regedt32 (not regedit) appears
to do the job.  I say appears, because I haven't found any documentation
that states definitively that regedt32 is showing the last write time of a
key.  But the regedt32 output does specify a last write time.

The procedure for using regedt32 would be to highlight the key in which you
are interested while viewing the registry in regedt32, then choose
"Registry|Save Subtree As" to write the file out as a text file.  The
appearance of the resulting text will be as Mr. Daniel Heinonen set out in
his post.

There are a number of things you can do with regedt32.  The most important,
from a forensic investigator's standpoint, is that you can use it to view
the non-active registry files from other NT/2000 machines in their native
format--i.e., you can copy the registry hive files from evidentiary images
to your forensic computer and open the hive files with regedt32 and see them
as they were meant to be seen.  Regedt32 also allows you to modify the
permissions of keys, so you can view things in otherwise protected subtrees.

On the other hand, regedt32 is not a very good search tool.  This is where
you would want to use regedit.

On a related topic, there is a little shareware program (see
www.hotfiles.com) you can use to open and view system.dat and user.dat files
from Win9x/Me computers.  It is called regdat.  While there are some manual
ways to prep the Win 9x/Me registry files for viewing with regedit in their
native format, the process can take a long time.  Regdat would appear to be
a direct and easy way to view Win9x/Me registry files in forensic reviews.

Troy Larson
Computer Forensics, Electronic Evidence and Legal Support
Fiderus Strategic Security and Privacy Services
(Direct) 425-793-1988
(Cell) 425-503-5845
tlarsonat_private
www.fiderus.com
AIM Address: WestCoastCFS
----------------------------------
24 Hour Emergency Response Hotline
1-877-595-8491
----------------------------------



-----Original Message-----
From: H C [mailto:keydet89at_private]
Sent: Wednesday, May 30, 2001 10:01 AM
To: tlarsonat_private; forensicsat_private
Subject: RE: Registry Key LastWrite times


> Yes, I have used the last write time of the registry
> files in an
> investigation.

Yes, that's what I was curious about.  There is scant
little information avaiable on the Internet on the
subject.

So do you use a third-party product or something
home-grown to get the LastWrite time?

HC

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year!  http://personal.mail.yahoo.com/



This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 16:15:29 PDT