SANS Digital Forensics and Incident Response Blog: Category - Registry Analysis

Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...


Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.

Tools:

...


OpenSaveMRU and LastVisitedMRU

Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon. Nowhere is this more true than in the Windows Registry. With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come. As an example, let's look at the OpenRunSaveMRU and LastVisitedMRU Registry keys. Both have been documented for years and are frequently cited in examinations. That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us. Here is a quick rundown on what we can glean from these keys.

OpenRunSaveMRU

In simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and

... Continue reading OpenSaveMRU and LastVisitedMRU


Digital Forensics Case Leads: Volatility and RegRipper, Better Together

This week in Digital Forensics Case Leads brings us an update to macrobber, a guide to combining the power of Volatility and RegRipper, some thoughts on presenting digital forensic evidence, and an easy way for you to become an Advanced Persistent Threat.

Tools:

  • Mark Morgan posted a User Manual for Volatility and RegRipper (PDF) that details combining those tools to perform registry analysis against physical memory images. Note that some of this only works under Linux.
  • Brian Carrier released macrobber v1.02 over at Sleuthkit.org. This version utilizes the new mactime body format.
  • Geoff Black released

Digital Forensics Case Leads: Carrier updates The Sleuth Kit

Welcome to the second installment of Digital Forensics Case Leads! This edition includes recently released updates to the popular Open Source digital forensics tools, Autopsy and The Sleuth Kit, an article by a lawyer-turned-computer-forensic-examiner and tips for uncovering Linux USB artifacts.

Tools:

  • Brian Carrier released an updated version of The Sleuth Kit (TSK 3.1.0) and its graphical browser based front-end, Autopsy (Version 2.22.) TSK includes HFS+ support and handles sectors that are not 512-bytes each. The current version of TSK also includes NTFS SID data, improved support for GPT partitions, AFFLIB formats and other new features.

Good Reads: