±Your Account
Membership:
New Today: 2
New Yesterday: 9
Overall: 24207
Visitors: 46±Latest Webinar
±Latest Articles
· Android Forensics
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page 1, 2, 3, 4 Next
windowsir.blogspot.com/
_________________
------------------------
Douglas A. Brush, CFC, EnCE
www.linkedin.com/in/douglasabrush
Registry query
Registry query
Posted: Mon Sep 07, 2009 11:40 pm
Hi all,
I'm a little confused and hope someone can enlighten me regarding the Timezone data i've extracted from the registry. Data below was extracted from that SYSTEM using regripper.
Notice the timezone key lastwrite was updated 13 days after the shutdown time/date was recorded. My question is how can i confirm the time and date when the user yanked the plug from behind the computer? Please note when we got to the computer it was already switched off but no can verify when.
I hope i've explained it clearly and i hope someone can point me to the right direction.
MC.
I'm a little confused and hope someone can enlighten me regarding the Timezone data i've extracted from the registry. Data below was extracted from that SYSTEM using regripper.
Code:
---------------------------------------- LastWrite Time Wed Feb 4 17:16:46 2009 (UTC) ShutdownTime = Wed Feb 4 17:16:46 2009 (UTC) ---------------------------------------- ShutdownCount ControlSet001\Control\Watchdog\Display LastWrite Time Wed Feb 4 17:16:46 2009 (UTC) ShutdownCount = 64 ---------------------------------------- TimeZoneInformation key ControlSet001\Control\TimeZoneInformation LastWrite Time Tue Feb 17 18:14:57 2009 (UTC) DaylightName -> Pacific Daylight Time StandardName -> Pacific Standard Time Bias -> 480 (8 hours) ActiveTimeBias -> 480 (8 hours)
Notice the timezone key lastwrite was updated 13 days after the shutdown time/date was recorded. My question is how can i confirm the time and date when the user yanked the plug from behind the computer? Please note when we got to the computer it was already switched off but no can verify when.
I hope i've explained it clearly and i hope someone can point me to the right direction.
MC.
-
mc02 - Member
Re: Registry query
Posted: Tue Sep 08, 2009 1:39 am
Have you looked at the Event Logs? There probably won't be a specific shutdown event if the plug was pulled, but you could at least get an estimate based on when the last event was. This is of course assuming event logging is switched on.
-
ddewildt - Senior Member
Re: Registry query
Posted: Tue Sep 08, 2009 5:42 am
All data, not just Registry data, needs to be understood in the context in which it is created and modified (with deletion being the extreme form of modified).
I think ddewildt provided excellent insight into the issue presented by the OP.
> ...how can i confirm the time and date when the user yanked the plug from behind the computer?
Create a timeline from the system (see my blog for information on how to do this...); you may be able to surmise that if the plug was simply pulled on the system, then the last file system activity may correlate to that time.
I think ddewildt provided excellent insight into the issue presented by the OP.
> ...how can i confirm the time and date when the user yanked the plug from behind the computer?
Create a timeline from the system (see my blog for information on how to do this...); you may be able to surmise that if the plug was simply pulled on the system, then the last file system activity may correlate to that time.
-
keydet89 - Senior Member
Re: Registry query
Posted: Tue Sep 08, 2009 6:20 am
Thanks all for the input. I'll check the timeline or the event viewer. 
MC
MC
-
mc02 - Member
-
keydet89 - Senior Member
Re: Registry query
Posted: Tue Sep 08, 2009 8:10 am
Have you verified the regripper results against another tool to insure regripper is providing correct results.
-
magicm - Newbie
Re: Registry query
Posted: Tue Sep 08, 2009 8:45 am
- keydet89> ...how can i confirm the time and date when the user yanked the plug from behind the computer?
see my blog for information on how to do this...
windowsir.blogspot.com/
_________________
------------------------
Douglas A. Brush, CFC, EnCE
www.linkedin.com/in/douglasabrush
-
douglasbrush - Senior Member