Monthly Archives: May 2014

RegBack Folder Update Times

Posted on May 29, 2014 by HatsOffSecurity

Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

Hives and Tools and Timestamps….. oh my!

Posted on May 29, 2014 by HatsOffSecurity

Continuing on from yesterday’s post regarding Hive files not updating: A colleague and I (say hi Joe) have been doing some research on this along with some very helpful comments from Brian Moran (@brianjmoran) via Twitter. My previous post commented … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , , | Leave a comment

Windows 8 Hives Not Saved On The Fly

Posted on May 28, 2014 by HatsOffSecurity

*********After reading, please see this post for the conclusion********* Whilst playing about with USB devices to start my upcoming USB identification series I noticed something a little odd. I captured the locked files on the VM when I started this … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , , , | 2 Comments

Network History and Decoding System Time

Posted on May 23, 2014 by HatsOffSecurity

Following on from my last post we had a GUID starting C1CDD (normally I would write the whole GUID down, but for the sake of not boring you all, I will keep it short), in this post we are going … Continue reading

Posted in Decoding Time, Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

Network Interfaces

Posted on May 23, 2014 by HatsOffSecurity

Having the last known IP address of a machine can help you to identify if it was in the wrong segment of the network (everyone does segment their network…. right?), if the address was static or dynamically assigned or if … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , | Leave a comment

Computer Name, Timezone & Current Control Set

Posted on May 21, 2014 by HatsOffSecurity

Computer Name Having the computer name will show that the image you have in front of you is from the machine you were expecting. Obviously it’s not a 100% guarantee, but if it’s deifferent, then something is 100% wrong and … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , | Leave a comment

Operating System Version and Banners

Posted on May 21, 2014 by HatsOffSecurity

Without know which Operating System your image was running you cannot possibly hope to carry out a comprehensive investigation. So my next couple of posts will be very short ‘quick wins’ of where to get some critical data. Starting with … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , | Leave a comment

Registry Key Last Write Time

Posted on May 20, 2014 by HatsOffSecurity

Windows Registry keys keep a time stamp embedded within them. This cannot easily be seen using regedit.exe, so instead we turn to our trusty Forensic tool kit. First off I used FTK Imager to capture locked files. This allowed the … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , | 4 Comments

Security Wizardry

Posted on May 20, 2014 by HatsOffSecurity

Security Wizardry An excellent Cyber Information Portal. The Radar page is used by the NSA as seen in the photos on the site.

Posted in Cyber | Tagged | Leave a comment