Registry Key Last Write Time

Windows Registry keys keep a time stamp embedded within them. This cannot easily be seen using regedit.exe, so instead we turn to our trusty Forensic tool kit.

First off I used FTK Imager to capture locked files. This allowed the Hives to be copied and saved into another folder. From there I opened Registry Viewer (both products are made by Access Data, the links are supposed to be the same 🙂  ) and accessed one of the offline Hives saved to the location I specified earlier.

Image

From the screenshot above you can see the Registry viewer is not too dissimilar from regedit.exe. The important part for this post is in the bottom left hand corner. Let me magnify it for you…..

Image

As you can see this was last written to on the 14th Feb 2014 at 01:07am UTC. It is important to know if you are running in UTC or local time as this can cause huge confusion. Running your Forensics VM in UTC is usually helpful. I will show you in a later post how to see what time zone the imaged machine was running in, as well as if DST is active.

With the registry time stamp it is important to remember that it will only show the last time it was written to, it cannot be used alone to create a time line, this will need other artefacts (which will also be covered in later posts).

 

This entry was posted in Windows Forensics, Windows Registry Forensics and tagged , . Bookmark the permalink.

2 Responses to Registry Key Last Write Time

  1. user108 says:

    Hello,

    How reliable is that timestamp? Can it be modified? I am looking at a spyware case in which registry entries were created.

    Thanks!

    • While I cannot say 100% either way, I would add that changing this key is not a trivial task. Look at the technical level of the attacker based on what you have investigated, does it feel like the attacker could have modified this timestamp, did they have that level of access to the system or were they operating at a user level.

      Personally I would trust the timestamp unless you had a good reason not to. Sorry that’s probably not the technical answer you were after.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s