Dailydave mailing list archives

Re: A Quick Whitepaper: Recovering and Analyzing Deleted Registry Hives

From: Andrew Case <andrew () digitalforensicssolutions com>
Date: Sun, 18 Sep 2011 11:26:14 -0500

On Sun, Sep 18, 2011 at 9:52 AM, Kristian Erik Hermansen
<kristian.hermansen () gmail com> wrote:

On Sep 17, 2011 6:47 PM, "Andrew Case"
<andrew () digitalforensicssolutions com> wrote:

I was writing to say that I just released a small whitepaper on an
interesting scenario I had in a recent case. I have a full writeup
here:


http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html


One thing you might want to keep in mind for future cases is that registry
timestamps are only set for keys, and not entries. Thus if one entry is
updated then the key timestamp is altered and you can't really trust that
enough to associate it with all entries under the key.

Also, I wrote a tool a while back called regfuck. Microsoft does something
crazy as always and stores the timestamps as milliseconds since 1492, or the
renaiisance, who knows...whatever...but regfuck effectively nullifies all
key timestamps by setting them back to null or a future date (at the time NT
kernel API shouldn't allow future date timestamps). Obviously if the bad guy
was smarter he wouldn't let himself get caught...


Hello,

I am aware that timestamps are only for the keys, but in the case of
the USBSTOR keys, the serial number is part of the key name, which
helps determine when a specific device was plugged in. I also mention
in the paper about cross-referencing the times with those in the
DeviceInstances path.

If a user manually changed entries of the names/values then all they
would be doing is changing superficial information as we would still
have the serial number.

I didn't mention it in the paper, but since I recovered numerous
instances of the SYSTEM file going in back in time, I was able to use
the timelining feature of Registry Decoder to build really
comprehensive timelines of USB activity going back for months.

Write back if you have anymore comments. Thanks for reading the paper.

-- 
Andrew Case
Senior Security Analyst @ Digital Forensics Solutions
http://www.digitalforensicssolutions.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

A Quick Whitepaper: Recovering and Analyzing Deleted Registry Hives Andrew Case (Sep 17)
- Re: A Quick Whitepaper: Recovering and Analyzing Deleted Registry Hives Kristian Erik Hermansen (Sep 19)
  - Re: A Quick Whitepaper: Recovering and Analyzing Deleted Registry Hives Andrew Case (Sep 19)