Tag Archives: Windows Registry Forensics

USB Forensics Pt. 4 Volume Serial Number

On to Part 4 of our ongoing discoveries about USB forensics. A quick recap So far we have managed to get details of two devices which have been connected to our image. We have looked at how to get: Unique … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 1 Comment

USB Forensics Pt. 3 Discover the Volume Name

Part 3 of our investigation is to discover what the Volume Name of the USB device was. This can be helpful when looking into Link (.lnk) files (which I will cover in a later blog post). It can also occasionally … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , , | 2 Comments

USB Forensics Pt. 1 Serial Number

Forensicating USB devices can be a arduous task, as such I am going to break it down into byte (get it) size chunks. In order to get the Serial number from a USB device we must start our investigation on … Continue reading

Posted in USB Forensics, Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

RegBack Folder Update Times

Following on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback. It is believed that these … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

Hives and Tools and Timestamps….. oh my!

Continuing on from yesterday’s post regarding Hive files not updating: A colleague and I (say hi Joe) have been doing some research on this along with some very helpful comments from Brian Moran (@brianjmoran) via Twitter. My previous post commented … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , , | Leave a comment

Windows 8 Hives Not Saved On The Fly

*********After reading, please see this post for the conclusion********* Whilst playing about with USB devices to start my upcoming USB identification series I noticed something a little odd. I captured the locked files on the VM when I started this … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , , , , | 2 Comments

Network History and Decoding System Time

Following on from my last post we had a GUID starting C1CDD (normally I would write the whole GUID down, but for the sake of not boring you all, I will keep it short), in this post we are going … Continue reading

Posted in Decoding Time, Windows Forensics, Windows Registry Forensics | Tagged , , , | Leave a comment

Network Interfaces

Having the last known IP address of a machine can help you to identify if it was in the wrong segment of the network (everyone does segment their network…. right?), if the address was static or dynamically assigned or if … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , , | Leave a comment

Computer Name, Timezone & Current Control Set

Computer Name Having the computer name will show that the image you have in front of you is from the machine you were expecting. Obviously it’s not a 100% guarantee, but if it’s deifferent, then something is 100% wrong and … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , | Leave a comment

Operating System Version and Banners

Without know which Operating System your image was running you cannot possibly hope to carry out a comprehensive investigation. So my next couple of posts will be very short ‘quick wins’ of where to get some critical data. Starting with … Continue reading

Posted in Windows Forensics, Windows Registry Forensics | Tagged , | Leave a comment