SANS Digital Forensics and Incident Response Blog: Tag - registry

Digital Forensics: How to configure Windows Investigative Workstations

I like Windows. There... I said it. I understand that this statement will probably come with the requisite beatings, but I honestly enjoy using Windows on a day to day basis more than other operating systems and am willing to take whatever flack comes my way over it (and yes, my team at work loves … Continue reading Digital Forensics: How to configure Windows Investigative Workstations


Autoruns and Dead Computer Forensics

Autoruns from Sysinternals is one of my favorite (free) tools. It has a myriad of uses, from optimizing the boot process to rooting out persistence mechanisms commonly used by malware. It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon. It very quickly shows what executables are set to run during boot or login, as well as enumerating many other interesting locations like Explorer shell extensions, browser helper objects, and toolbars. Over the years it has added some very useful features, including digital signature checks and the ability to ignore signed (and verified) Microsoft executables.

Until recently Autoruns had one big limitation: it had to be run on a live system. This is perfectly fine in a live response scenario when you are primarily working with systems that are up and running. However, in a dead computer forensics environment, its usefulness was hampered

... Continue reading Autoruns and Dead Computer Forensics


Timestamped Registry & NTFS Artifacts from Unallocated Space

Frequently, while following up a Windows investigation, I will add certain filenames or other string values to my case wordlist and subsequently find these strings embedded in binary data of one type or another in unallocated space. Close examination of the surrounding data structures has shown that these are often old MFT entries, INDX structures, or registry keys or values. The thing that makes these things very interesting from a forensic perspective is that all of them but registry values incorporate Windows timestamps. (All timestamps referenced in this article are 64bit Windows filetime values.) Even registry values often follow closely after their parent keys in the registry, which do have associated timestamps. Once I'd noticed these key facts, it occurred to me that it would be useful to use the timestamp values to work backward to other associated data, and hence the genesis of this

...


Digital Forensics Case Leads: The SIFT Workstation 2.0 Edition

Rob Lee recently brought us version 2.0 of the SANS Investigative Forensics Toolkit (SIFT), Into the Boxes Issue 0x1 was released, along with some interesting new tools by Harlan Carvey, and the New Jersey Supreme Court makes a ruling that could have significant impact on employer policies and employee expectations of privacy. Those in or near the Toronto area should also check out SANS Computer Forensic Essentials taught by SANS Computer Forensics blog contributor Chad Tilbury. There's a lot of good stuff linked below, so explore and enjoy. And, as always, thanks to all who make such excellent information and tools available to the community.

Tools:

...


OpenSaveMRU and LastVisitedMRU

Talking with a colleague the other day reminded me of just how nuanced many of the forensic artifacts are that we rely upon. Nowhere is this more true than in the Windows Registry. With no specification and even Microsoft products not following any data storage methodology, it is about as haphazard and irregular as they come. As an example, let's look at the OpenRunSaveMRU and LastVisitedMRU Registry keys. Both have been documented for years and are frequently cited in examinations. That being said, I would bet many examiners have not investigated the keys deeply enough to understand everything they are telling us. Here is a quick rundown on what we can glean from these keys.

OpenRunSaveMRU

In simplest terms, this key tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and

... Continue reading OpenSaveMRU and LastVisitedMRU