Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these update every 10 days, however with Windows 8 I would like to show a way to force that timestamp to change prematurely.

The contents of the Regback folder:

Look familiar? Good. Then we can begin. Note the date (in US format)

Next to force a Maintenance:

Go to the Control Panel and into the Action Centre

And click on ‘Maintenance’ to expand and show the ‘Automatic Maintenance’ below

You will notice the last run date is today and not too long ago, that is because I have already set this off manually. This is done quite simply by clicking the ‘Start maintenance’ option.

If this runs automatically it does not affect the timestamps on the regback Hives, if however you run this manually it changes the Timestamp. I have no idea what the differences are, Microsoft are not very forthcoming. It may also be possible that the schedule that ran on my VM (which coincidently ran about 1 hour previous) was either incorrectly represented or did not complete. It is also possible it runs an interim maintenance then every 10 days runs a full maintenance. I would love to know your thoughts on this.

I ran a manual maintenance and below are the results of the regback folder:

The maintenance also runs a defrag on the system, so all in all if this has been run, quite bad from a forensics standpoint.

When looking in the System Event log, it is possible to see evidence of this. With EventID 16

These give the following descriptions (in order as above)

And in the Application log we can see a defrag was completed with EventID 258

There are also a lot of prefetch files loaded around the same time, including ping.exe, however this is something for another blog post! The Event log correlates what I believed to be true, along with the timestamps. As these are backups to the registry Hives there is not a lot else I can prove. I wanted to show that this was initiated by a user, however this will need to wait for another day!