Mr. HC, et al, Per the previous post from Daniel Heinonen, regedt32 (not regedit) appears to do the job. I say appears, because I haven't found any documentation that states definitively that regedt32 is showing the last write time of a key. But the regedt32 output does specify a last write time. The procedure for using regedt32 would be to highlight the key in which you are interested while viewing the registry in regedt32, then choose "Registry|Save Subtree As" to write the file out as a text file. The appearance of the resulting text will be as Mr. Daniel Heinonen set out in his post. There are a number of things you can do with regedt32. The most important, from a forensic investigator's standpoint, is that you can use it to view the non-active registry files from other NT/2000 machines in their native format--i.e., you can copy the registry hive files from evidentiary images to your forensic computer and open the hive files with regedt32 and see them as they were meant to be seen. Regedt32 also allows you to modify the permissions of keys, so you can view things in otherwise protected subtrees. On the other hand, regedt32 is not a very good search tool. This is where you would want to use regedit. On a related topic, there is a little shareware program (see www.hotfiles.com) you can use to open and view system.dat and user.dat files from Win9x/Me computers. It is called regdat. While there are some manual ways to prep the Win 9x/Me registry files for viewing with regedit in their native format, the process can take a long time. Regdat would appear to be a direct and easy way to view Win9x/Me registry files in forensic reviews. Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com AIM Address: WestCoastCFS ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: H C [mailto:keydet89at_private] Sent: Wednesday, May 30, 2001 10:01 AM To: tlarsonat_private; forensicsat_private Subject: RE: Registry Key LastWrite times > Yes, I have used the last write time of the registry > files in an > investigation. Yes, that's what I was curious about. There is scant little information avaiable on the Internet on the subject. So do you use a third-party product or something home-grown to get the LastWrite time? HC __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 16:15:29 PDT