Hi,
I have some doubts about forensic information
1) Is possible to know when an account was created from registry keys?
2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?
3) For files and folders I have read it is possible to change date. How is possible to detect this?
Best Regards and thanks in advance.
I know this is "general Discussion", but maybe you may want to be a tadbit more specific on the Operating System(s) and on the filesystem(s) involved.
jaclaz
Thanks jaclaz,
System operating Windows XP/7
Filesystem NTFS
To your first question "Time" is a fickle thing on computers. Was the time set correctly? Can you verify the time was set correctly? The answer to your question depends partly on the answer to those questions.
To your second Yes there are tools to do this. It is possible with investigation of other remnants to detect.
Third Again, it is trivial to do, it takes work to detect.
That said my answers are vague because your questions are very vague. Answering these types of questions takes authors of books on forensics several pages or the combination of pages from several chapters to answer.
The purveyor of this site has provided some helpful guidelines for those asking questions that are immediately above the pane where you typed your questions. Can you provide answers to those two questions?
My forensic training and experience includes how to parse the Windows Registry with a hex editor. So therefore I have the knowledge and ability to change values in the Registry if I so choose.
That said, I would never do that on an actual case since it would be unethical.
1) Is possible to know when an account was created from registry keys?
Yes, it is.
2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?
Not "any", but yes, there are APIs that can be used to change key LastWrite times.
I'm not sure how to answer the second question. I know it's possible because I've seen the tool.
3) For files and folders I have read it is possible to change date. How is possible to detect this?
As with other aspects of digital forensic analysis, one should never simply hang a finding on a single data point. Rather, findings should be based on the sum total of data points.
For example, lets say that someone creates a user account on 6 June 2014, and modifies that Registry key LastWrite time for that account to read 9 July 2014. This would actually take some doing (i.e., escalation of privileges, etc.) due to what would be required in order to do this. Then, on 8 June, they log into the system using the account they created…at that point, the profile is created. So, you have a couple of data points that suggest that the account was created on 9 July, but here it is a month earlier and you have the profile created. Also, depending upon the audit settings on the system, you may have Windows Event Log records that indicate the account creation, dated 6 June.
With respect to files and folders, the time stamps within the MFT record can help tell the story, especially when combined and viewed with other data from the system.
HTH
Not "any", but yes, there are APIs that can be used to change key LastWrite times.
…assuming that the Registry is "online", but a plain hex editor (and some pretty much accurate work with a calculator wink ) would do nicely if it is "offline", as hinted before, and possibly some scripts together with offline registry tools…
From the mouth of the wolf
https://
and actually put into practice
http//
might also do nicely, while - notwithstanding the fact the noone 😯 is interested to this approach (which BTW is the "right" one wink )
http//
it would still be possible to make mincemeat of any Registry…
jaclaz
My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.
What would be some possible scenarios where modification of the offline Registry might occur?
My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.
What would be some possible scenarios where modification of the offline Registry might occur?
I thought that the underlying question was more along the lines of "Is it possible to tamper with Registry LastWrite timestamps?" in the sense of "How can such timestamps be altered (one way or the other)?" or "Can such timestamps be relied upon during an examination?", the typical scenario would be someone altering intentionally those timestamps to either hide activity on the PC or faking that an activity actually took place on a given date/time.
Is it possible to tamper with Registry LastWrite timestamps?
Yes.
HOW can such timestamps be altered (one way or the other)?
EITHER when the Registry is online using some API's (keydet89's suggestion/idea) OR when the Registry is offline BOTH with a hex editor (Patrick4n6's suggestion/idea) or possibly by using some specific tools (jaclaz's corollary) that may (or may not) be used as they are or need some modification/changes.
Yes, OK, but HOW EXACTLY?
As an example, see following post by Joakims ) and his nice tool
http//
Can such timestamps be relied upon during an examination?
No, they should NEVER be relied upon "on their own", they NEED to be put in the context of a FULL system timeline.
jaclaz
The SetRegTime tool can modify the LastWriteTime timestamp in the registry on mounted hives; http//