±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35974
New Yesterday: 1 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 7 SYSTEM reg file examination

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Adam10541
Senior Member
 

Windows 7 SYSTEM reg file examination

Post Posted: Apr 05, 17 07:26

I'm looking through a SYSTEM reg file from a Win7 machine, specifically looking for log on, system start up times etc and I'm seeing something that I'm having trouble finding an explanation for.

I'm seeing the below entries in the SYSTEM file:
CMFStartTime 02-11-16 15:49:49 +8
SystemLastStartTime 16-06-16 08:41:53 +8

I know from my client that they used the computer on the 2-11-16 so that is consistent with the last time the machine was booted up, however I need to understand the difference between the CMF start time and System last start time, and why they are different.  

Last edited by Adam10541 on Apr 07, 17 06:52; edited 2 times in total
 
  

benfindlay
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 05, 17 13:01

Morning (at least it is where I am!),

Is it definitely an X-Ways issue? Do other tools parse the same values or different? If other tools produce the same results, then there may be something else going on here.

As a possible avenue of thought, I have seen situations (mostly with laptops) where machines didn't actually shut down, even if the user selected "Shut Down" from the start menu - they went into some sort of weird ultra-low-power standby (the proper name of which escapes me).

I found this by looking at the machine live - when freshly booted up from "off" it would report an "up time" of several hours or days, but when rebooted, the "up time" clock would reset back to zero again.

It turned out that a BIOS setting kept the machine from truly powering off. The idea behind this was to improve start up times.

Just a thought off the top of my head.

Ben
_________________
Ben Findlay. BSc (Hons) MSc PgCLTHE FHEA MBCS MCSFS MIScT MInstISP
Course Leader BSc Computer and Digital Forensics
School of Science, Engineering and Design
Teesside University 
 
  

minime2k9
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 05, 17 13:14

Have you tried the X-ways forums? Assuming you have an indate licence
www.x-ways.net/winhex/...opics.html

Stefan is very good at responding on here with queries like this, though I would check through the manual first to make sure it isn't mentioned in there.  
 
  

Adam10541
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 06, 17 06:47

I checked the manual and nothing there to indicate the difference.

I don't think it's so much an 'Xways' issue as much as an interpretation issue.

I'll head over to the Xways forums and see what Stefan can tell me.

*edit: apparently not much beyond the fact that I posted in the wrong section Embarassed  
 
  

minime2k9
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 06, 17 12:44

Yeah he can be a little blunt  
 
  

athulin
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 06, 17 20:41

- Adam10541
... however I need to understand the difference between the CMF start time and System last start time, and why they are different.

Any Xways gurus have an explanation?


I'm probably just showing off my ignorance but ... why is this a Xways question?

If I had to guess, I would quess something related to service quality metrics -- the SCMData key they're in seems to point that way.

It is extremely dangerous to read meaning into random registry keys. It's like finding a Citrix installation with a registry entry named 'Password' in a Citrix-related key If you think it is a password, you're wrong. (Yes, I did that once.)

SystemLastStartTime and SystemStartTime are probably related ... but what do they relate to? The start of the computer system? The start of a SQM subsystem within the CMF system in Windows? Or something else?

You should, I think, be asking for research related to these keys. Until you know what it is, you can't discount the possibility that you'll get other people's guesses -- just like mine above.  
 
  

Adam10541
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 07, 17 06:47

I probably gave the wrong impression as it's clearly not an Xways issue (Original post edited to remove references to Xways), rather I just wanted to be clear that this was the tool I was using as I know from experience different tools represent the same information in different ways sometimes.

I've not noticed the CMF in registry keys before, but admittedly it's been a while since I needed to dig around in the registry files so no doubt I have some brushing up to do on the changes Win7 made to the registry.

The start of a SQM subsystem within the CMF system


What is the CMF system you are referencing here?  
 

Page 1 of 3
Page 1, 2, 3  Next