*********After reading, please see this post for the conclusion*********
Whilst playing about with USB devices to start my upcoming USB identification series I noticed something a little odd.
I captured the locked files on the VM when I started this blog, since then I have been suspending the image and resuming it. I realised I had not installed a good USB device (there was only a generic one) so I installed a named device. When I looked through regedit I saw the USBSTOR and the two devices as expected. However when I ran FTKImager to capture the locked files I got a copy of the old files and not the updated ones.
Upon searching through the system32/config folder I noticed the Hives had not been updating since the start of the blog (20/May/14). I found this very odd as the registry is updating the current control set.
My thinking on this is that the Registry is held in memory until the machine is rebooted, if this is the case then that’s quite exciting from a memory forensics view point and a point of caution when carrying out an investigation on a live machine or doing a logical disk image.
After doing some testing on a Windows XP VM, my Windows 7 Host and my wife’s Windows 8 laptop, I now firmly believe this is a Windows 8 oddity, not a VM oddity. I am not sure how widely known this is, but I am quite excited!!
Looking at the last modified time to the Hive files, I correlated that with the last shutdown time of the laptop, guess what, they matched!
It appears Windows 8 saves the Hive files on restart (not 100% sure if it saves on the way down, or the way up, but I would guess the way up as the laptop gets a hard reset a lot – kids!!)
So what does this mean?
Well, if you are capturing a live image you cannot trust the Hive files (did I say that already?) This is a big deal for fast forensics and triage tools that capture these files off live systems.
What is the solution? I don’t know is the honest answer, maybe take the memory capture, logical image, bounce the machine and take Hives as either dead disk or when it’s back up.
Why is this important?
Ok quick bad guy scenario:
User is using their computer to steal corporate data, they bring in a personal USB stick for the first time as its encrypted. The company policy states that machines must be left on to allow for patching to run overnight. This user’s Windows 8 PC hasn’t been off for a few days.
USB device leaves the building, with bad guy. His boss is suspicious and gets the IR team to logically image the device and capture the memory. High fives all round, we got the data we need. Shut off his PC and re-image it for the next person.
Question: Do you have the registry Hive proving he plugged the USB device in which the files were taken away on?