Blog: SANS Digital Forensics and Incident Response Blog: Category - Registry Analysis

Blog: SANS Digital Forensics and Incident Response Blog:

Digital Forensic SIFTing: SUPER Timeline Creation using log2timeline-sift

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with


Digital Forensics Case Leads: Registry Forensics, Volume Shadow Copies and Windows 8

It's the "better late than never" edition of Case Leads and I've got lots of great stuff for you this week. Lots of great articles and papers to read, including a very cool post by Andrew Case on recovering registry hives from a system that's been reformatted and had the OS reinstalled, as well as several how to articles by Harlan Carvey. Rob Lee also checks in with an excellent article on timelines and volume shadow copies. Yes, all that and more, so let's get started! Oh, by the way, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to

<li><a href="">Registry Decoder</a> I know this was mentioned in last week's Case Leads, but I wanted to mention it again. This is an excellent tool and will have updates and new features in


Digital Forensics Case Leads: Registry and Malware Analysis Tools, Preparing to Testify, and Virtual Machine Technology on Mobile Devices

This week's edition of Case Leads features a number of new tools and updates for a few of the old standbys. We have a collection of tools designed for studying malware found on Windows or Android platforms and a couple of new applications for registry analysis.

Virtual machine technology is heading for Android based devices as a couple of vendors team up to make it happen. We also feature articles about testifying at trial, "breaking in" to the field of Digital Forensics and the plethora of personal information associated with mobile applications.

As always, if you have an item you'd like to contribute to Digital Forensics Case Leads, please send it to



Ultimate Windows Timelining

Recently, I was considering material for an internal knowledge transfer session on timelining, when it occurred to me that the subject matter was likely of broader interest, and so, without further ado...

First, a note about the way I personally use timelines. I find them a great way to identify dated tidbits which one might not otherwise realize are associated with activity of interest, once investigation has been focused down to a restricted timeframe. When I do this, I typically extract all timeline data, and then filter it for times of interest to avoid information overload.

The best general purpose timelining utility of which I'm aware is Kristinn Gudjonsson's log2timeline tool. This great program handles a huge selection of input filetypes, and can output in several standardized formats, most notably;


Computer Forensic Artifacts: Windows 7 Shellbags

Windows ShellbagsAs Windows Registry artifacts go, the "Shellbag" keys tend to be some of the more complicated artifacts we have to decipher. But they are worth the effort, giving an excellent means to prove the existence of files and folders along with user knowledge. Shellbags can be used to answer the difficult questions of data enumeration in intrusion cases, identify the contents of long gone removable devices, and show the contents of previously mounted encrypted volumes. Information persists for deleted folders, providing an invaluable reference for items no longer part of the file system.

A Brief Overview

Windows uses the Shellbag keys to store user preferences for GUI folder display