Windows 8 Hives Not Saved On The Fly

*********After reading, please see this post for the conclusion*********

Whilst playing about with USB devices to start my upcoming USB identification series I noticed something a little odd.

I captured the locked files on the VM when I started this blog, since then I have been suspending the image and resuming it. I realised I had not installed a good USB device (there was only a generic one) so I installed a named device. When I looked through regedit I saw the USBSTOR and the two devices as expected. However when I ran FTKImager to capture the locked files I got a copy of the old files and not the updated ones.

Upon searching through the system32/config folder I noticed the Hives had not been updating since the start of the blog (20/May/14). I found this very odd as the registry is updating the current control set.

My thinking on this is that the Registry is held in memory until the machine is rebooted, if this is the case then that’s quite exciting from a memory forensics view point and a point of caution when carrying out an investigation on a live machine or doing a logical disk image.

System_Hive_Update_Time

After doing some testing on a Windows XP VM, my Windows 7 Host and my wife’s Windows 8 laptop, I now firmly believe this is a Windows 8 oddity, not a VM oddity. I am not sure how widely known this is, but I am quite excited!!

Looking at the last modified time to the Hive files, I correlated that with the last shutdown time of the laptop, guess what, they matched!

It appears Windows 8 saves the Hive files on restart (not 100% sure if it saves on the way down, or the way up, but I would guess the way up as the laptop gets a hard reset a lot – kids!!)

So what does this mean?

Well, if you are capturing a live image you cannot trust the Hive files (did I say that already?) This is a big deal for fast forensics and triage tools that capture these files off live systems.

What is the solution? I don’t know is the honest answer, maybe take the memory capture, logical image, bounce the machine and take Hives as either dead disk or when it’s back up.

Why is this important?

Ok quick bad guy scenario:

User is using their computer to steal corporate data, they bring in a personal USB stick for the first time as its encrypted. The company policy states that machines must be left on to allow for patching to run overnight. This user’s Windows 8 PC hasn’t been off for a few days.

USB device leaves the building, with bad guy. His boss is suspicious and gets the IR team to logically image the device and capture the memory. High fives all round, we got the data we need. Shut off his PC and re-image it for the next person.

Question: Do you have the registry Hive proving he plugged the USB device in which the files were taken away on?

This entry was posted in Windows Forensics, Windows Registry Forensics and tagged , , , , , . Bookmark the permalink.

2 Responses to Windows 8 Hives Not Saved On The Fly

  1. Brian Moran says:

    Hi Russ,

    Good post and good information! however, I would like to point out one thing, the title should be more along the lines of “Last Modified time stamps are not updated on the fly” rather than the Hives themselves are not updated on the fly. If you open the Hive itself (or the event log files, or a slew of other “system” files) you will find that the files are indeed getting written to, however, the last modified time stamp is not updating. I noticed the same thing while digging into Registry entries for my Bluetooth data exfiltration post and, if time permits, will include some information on the “time stamp” in Part 4 of what is seemingly a never-ending series of posts 🙂

    I believe this issue was first noted on WIndows 7 (http://blogs.technet.com/b/asiasupp/archive/2010/12/14/file-date-modified-property-are-not-updating-while-modifying-a-file-without-closing-it.aspx). It just goes to show that you can never, ever, ever entirely trust timestamps alone!

    Brian

    • Thank you Brian, I intended this to be a question (I often get over excited), and you have provided an answer. As I said on Twitter, I was well on the way to the same conclusion around the time you tweeted me, so it was perfect timing to validate what we were seeing.

      I intend to put some screen shots up using FTKImager to prove what we now know.

      The last mystery I need to solve is why FTKImager protected files capture didn’t give me an up to date System Hive. It works fine if you manually traverse to it and right click the Hive.

      Everyday is a school day 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s