Daily Archives: May 29, 2014

RegBack Folder Update Times

Posted on May 29, 2014 by HatsOffSecurity

Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

Hives and Tools and Timestamps….. oh my!

Posted on May 29, 2014 by HatsOffSecurity

Continuing on from yesterday’s post regarding Hive files not updating: A colleague and I (say hi Joe) have been doing some research on this along with some very helpful comments from Brian Moran (@brianjmoran) via Twitter. My previous post commented … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , , | Leave a comment