On Sun, Sep 18, 2011 at 9:52 AM, Kristian Erik Hermansen <[email protected]> wrote: > On Sep 17, 2011 6:47 PM, "Andrew Case" > <[email protected]> wrote: >> I was writing to say that I just released a small whitepaper on an >> interesting scenario I had in a recent case. I have a full writeup >> here: >> >> >> http://dfsforensics.blogspot.com/2011/09/recovering-and-analyzing-deleted.html > > One thing you might want to keep in mind for future cases is that registry > timestamps are only set for keys, and not entries. Thus if one entry is > updated then the key timestamp is altered and you can't really trust that > enough to associate it with all entries under the key. > > Also, I wrote a tool a while back called regfuck. Microsoft does something > crazy as always and stores the timestamps as milliseconds since 1492, or the > renaiisance, who knows...whatever...but regfuck effectively nullifies all > key timestamps by setting them back to null or a future date (at the time NT > kernel API shouldn't allow future date timestamps). Obviously if the bad guy > was smarter he wouldn't let himself get caught... >
Hello, I am aware that timestamps are only for the keys, but in the case of the USBSTOR keys, the serial number is part of the key name, which helps determine when a specific device was plugged in. I also mention in the paper about cross-referencing the times with those in the DeviceInstances path. If a user manually changed entries of the names/values then all they would be doing is changing superficial information as we would still have the serial number. I didn't mention it in the paper, but since I recovered numerous instances of the SYSTEM file going in back in time, I was able to use the timelining feature of Registry Decoder to build really comprehensive timelines of USB activity going back for months. Write back if you have anymore comments. Thanks for reading the paper. -- Andrew Case Senior Security Analyst @ Digital Forensics Solutions http://www.digitalforensicssolutions.com _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
