RegBack Folder Update Times

Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these update every 10 days, however with Windows 8 I would like to show a way to force that timestamp to change prematurely.

The contents of the Regback folder:

Regback_Folder

Look familiar? Good. Then we can begin. Note the date (in US format)

Next to force a Maintenance:

Go to the Control Panel and into the Action Centre

Control_Panel_Action_Centre

And click on ‘Maintenance’ to expand and show the ‘Automatic Maintenance’ below

Action_Centre_Maintenance

You will notice the last run date is today and not too long ago, that is because I have already set this off manually. This is done quite simply by clicking the ‘Start maintenance’ option.

If this runs automatically it does not affect the timestamps on the regback Hives, if however you run this manually it changes the Timestamp. I have no idea what the differences are, Microsoft are not very forthcoming. It may also be possible that the schedule that ran on my VM (which coincidently ran about 1 hour previous) was either incorrectly represented or did not complete. It is also possible it runs an interim maintenance then every 10 days runs a full maintenance. I would love to know your thoughts on this.

I ran a manual maintenance and below are the results of the regback folder:

Regback_Folder2

The maintenance also runs a defrag on the system, so all in all if this has been run, quite bad from a forensics standpoint.

When looking in the System Event log, it is possible to see evidence of this. With EventID 16

Event_Log_Regback_Cleared

These give the following descriptions (in order as above)

Event_Log_Regback_Cleared_Details

And in the Application log we can see a defrag was completed with EventID 258

Event_Log_Regback_Defrag

There are also a lot of prefetch files loaded around the same time, including ping.exe, however this is something for another blog post! The Event log correlates what I believed to be true, along with the timestamps. As these are backups to the registry Hives there is not a lot else I can prove. I wanted to show that this was initiated by a user, however this will need to wait for another day!

 

This entry was posted in Windows Forensics, Windows Registry Forensics and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s