Doubts about forens...
 
Notifications
Clear all

Doubts about forensic information

13 Posts
7 Users
0 Likes
372 Views
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

Hi,

I have some doubts about forensic information

1) Is possible to know when an account was created from registry keys?
2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?
3) For files and folders I have read it is possible to change date. How is possible to detect this?

Best Regards and thanks in advance.

 
Posted : 07/02/2015 11:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I know this is "general Discussion", but maybe you may want to be a tadbit more specific on the Operating System(s) and on the filesystem(s) involved.

jaclaz

 
Posted : 08/02/2015 3:58 pm
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

Thanks jaclaz,

System operating Windows XP/7
Filesystem NTFS

 
Posted : 08/02/2015 4:48 pm
(@bithead)
Posts: 1206
Noble Member
 

To your first question "Time" is a fickle thing on computers. Was the time set correctly? Can you verify the time was set correctly? The answer to your question depends partly on the answer to those questions.
To your second Yes there are tools to do this. It is possible with investigation of other remnants to detect.
Third Again, it is trivial to do, it takes work to detect.

That said my answers are vague because your questions are very vague. Answering these types of questions takes authors of books on forensics several pages or the combination of pages from several chapters to answer.

The purveyor of this site has provided some helpful guidelines for those asking questions that are immediately above the pane where you typed your questions. Can you provide answers to those two questions?

 
Posted : 08/02/2015 6:44 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

My forensic training and experience includes how to parse the Windows Registry with a hex editor. So therefore I have the knowledge and ability to change values in the Registry if I so choose.

That said, I would never do that on an actual case since it would be unethical.

 
Posted : 08/02/2015 9:24 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

1) Is possible to know when an account was created from registry keys?

Yes, it is.

2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?

Not "any", but yes, there are APIs that can be used to change key LastWrite times.

I'm not sure how to answer the second question. I know it's possible because I've seen the tool.

3) For files and folders I have read it is possible to change date. How is possible to detect this?

As with other aspects of digital forensic analysis, one should never simply hang a finding on a single data point. Rather, findings should be based on the sum total of data points.

For example, lets say that someone creates a user account on 6 June 2014, and modifies that Registry key LastWrite time for that account to read 9 July 2014. This would actually take some doing (i.e., escalation of privileges, etc.) due to what would be required in order to do this. Then, on 8 June, they log into the system using the account they created…at that point, the profile is created. So, you have a couple of data points that suggest that the account was created on 9 July, but here it is a month earlier and you have the profile created. Also, depending upon the audit settings on the system, you may have Windows Event Log records that indicate the account creation, dated 6 June.

With respect to files and folders, the time stamps within the MFT record can help tell the story, especially when combined and viewed with other data from the system.

HTH

 
Posted : 09/02/2015 4:50 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not "any", but yes, there are APIs that can be used to change key LastWrite times.

…assuming that the Registry is "online", but a plain hex editor (and some pretty much accurate work with a calculator wink ) would do nicely if it is "offline", as hinted before, and possibly some scripts together with offline registry tools…
From the mouth of the wolf
https://msdn.microsoft.com/en-us/library/ee210757(v=vs.85).aspx
and actually put into practice
http//reboot.pro/topic/11312-offline-registry/
might also do nicely, while - notwithstanding the fact the noone 😯 is interested to this approach (which BTW is the "right" one wink )
http//reboot.pro/topic/7681-the-registry-as-a-filesystem/
it would still be possible to make mincemeat of any Registry…

jaclaz

 
Posted : 09/02/2015 5:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.

What would be some possible scenarios where modification of the offline Registry might occur?

 
Posted : 09/02/2015 6:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.

What would be some possible scenarios where modification of the offline Registry might occur?

I thought that the underlying question was more along the lines of "Is it possible to tamper with Registry LastWrite timestamps?" in the sense of "How can such timestamps be altered (one way or the other)?" or "Can such timestamps be relied upon during an examination?", the typical scenario would be someone altering intentionally those timestamps to either hide activity on the PC or faking that an activity actually took place on a given date/time.

Is it possible to tamper with Registry LastWrite timestamps?
Yes.

HOW can such timestamps be altered (one way or the other)?
EITHER when the Registry is online using some API's (keydet89's suggestion/idea) OR when the Registry is offline BOTH with a hex editor (Patrick4n6's suggestion/idea) or possibly by using some specific tools (jaclaz's corollary) that may (or may not) be used as they are or need some modification/changes.

Yes, OK, but HOW EXACTLY?
As an example, see following post by Joakims ) and his nice tool
http//code.google.com/p/mft2csv/wiki/SetRegTime

Can such timestamps be relied upon during an examination?
No, they should NEVER be relied upon "on their own", they NEED to be put in the context of a FULL system timeline.

jaclaz

 
Posted : 09/02/2015 10:17 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

The SetRegTime tool can modify the LastWriteTime timestamp in the registry on mounted hives; http//code.google.com/p/mft2csv/wiki/SetRegTime

 
Posted : 09/02/2015 11:34 pm
Page 1 / 2
Share: