±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35868
New Yesterday: 3 Visitors: 137

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows 7 SYSTEM reg file examination

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

jaclaz
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 07, 17 16:27

- Adam10541
I probably gave the wrong impression as it's clearly not an Xways issue (Original post edited to remove references to Xways), rather I just wanted to be clear that this was the tool I was using as I know from experience different tools represent the same information in different ways sometimes.



Yep, it may be an X-Ways connected issue or it may be not.

I mean, what you posted is the output of X-Ways, i.e. those values are called what X-Ways calls them, right?

Which specific keys (as seen in regedit) are you talking about? (full Registry path, please)

It is entirely possible that X-Wyas adopts a "friendly name" and another tool uses another one, or that some relevant article/paper uses yet another "name" for the same object.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 07, 17 19:38

- Adam10541

The start of a SQM subsystem within the CMF system


What is the CMF system you are referencing here?


I should have said 'a' CMF system. Because I have not a clue.

The registry values you mention (@Jaclaz: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CMF\SqmData seems a reasonable guess) suggests that Sqm may be subsystem to CMF or in some way subordinate to something called CMF.

Sqm I've seen in relation to various Internet-based services, so I'm prepared to guess it's related to Service Quality Monitoring, which you can find general info about at the MSDN web site, where a number of relevant documents (API, SDK, etc.) can be found. I spent some time digging around those documents yesterday without finding anything useful.

However, CMF is not even on my map, so ... something new, and possibly interesting. At first I thought it might be related to CEIP (Customer Experience something), but so far I have nothing that confirms that.

A number of fairly obvious things to look around for occurs to me, but I'm fairly sure someone already been doing this.  
 
  

jaclaz
Senior Member
 

Re: Windows 7 SYSTEM reg file examination with Xways

Post Posted: Apr 07, 17 20:41

- athulin

Sqm I've seen in relation to various Internet-based services, so I'm prepared to guess it's related to Service Quality Monitoring, which you can find general info about at the MSDN web site, where a number of relevant documents (API, SDK, etc.) can be found. I spent some time digging around those documents yesterday without finding anything useful.


A loose piece of information is seemingly this one:
news.microsoft.com/200...cxRRwsk.97


Some of the other teams that report into me also develop parts of the server and work directly with customers and partners to gather feedback, which shapes the release. For instance, we have a tool called SQM [pronounced “skwim”], or Service Quality Monitor, which enables us to get online customer feedback as part of the release.

Now we know that the good MS guys pronounce SQM as "skwim" Shocked and that is about all the "useful" information they are going to give us Wink .

But maybe, just maybe, SQM actually means Service Quality Metrics:
msdn.microsoft.com/en-...54414.aspx

(which possibly they pronounce "skw-eye-m"):
www.imdb.com/title/tt0...=qt0484647

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: Windows 7 SYSTEM reg file examination

Post Posted: Apr 09, 17 16:49

Just a thought...if you create a timeline of system activity, you'll very likely see what happened on the system around that time.  
 
  

MDCR
Senior Member
 

Re: Windows 7 SYSTEM reg file examination

Post Posted: Apr 09, 17 17:07

I should be noted that the job of software is to present data to the end user, which has the job of interpreting it. Without help, you're stuck googling.

A well written program would at least have a tooltip popup, explaining WTF CMF is. Only thing i found was that Cern has something called CMF (Computer Management Framework), but apart from that i cant make heads or tails of the acronym:
http://www.acronymfinder.com/CMF.html

I wrote a security scanner in 1998, for each vulnerability i wrote a short description of what it was and what the impact was. I did this on my home computer on a zero budget - why cant professional software companies do this?

I see this as bad UX.  
 
  

jaclaz
Senior Member
 

Re: Windows 7 SYSTEM reg file examination

Post Posted: Apr 09, 17 17:25

Well, you actually asked for this Wink :
- MDCR

A well written program would at least have a tooltip popup, explaining WTF CMF is.

What is the meaning of the WTF acronym? Shocked

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: Windows 7 SYSTEM reg file examination

Post Posted: Apr 10, 17 23:02

- MDCR
A well written program would at least have a tooltip popup, explaining WTF CMF is.

[...]

I see this as bad UX.



In this case, it looks as if the only programs available are registry viewers of sorts. You can find the key, the value and the data: a time stamp. While some kind of documentation would be desirable, it's not likely to be easy to find. This? Somewhere in the SDK or DDK or whatever xDK that are available now.

Any decent FA (Forensic Analyst) would recognize it as a DOS device: something that will lure you into trying to find what the CMF is, why it is there and whatever semantics it has. The trick, of course, is to recognize it as one:

Unknown registry key, unknown values and data.

and to come to the right conclusion about it:

Unknown, useless for analysis, ignore, and proceed.

Actually, this is so often the correct approach that it should be taught in Computer Forensics 101.

A FR (Forensic Researcher) on the other hand may find it a starting point for research. But that's a different activity.

What Windows versions have this area of the registry? Introduced in Win7 or was it present earlier? Is it present on Server as well? Embedded? other versions of Windows?

'Grep' all binaries for the registry key -- what .EXE or .DLL or whatever refers to this area of the registry, and what do they do?

Run some program that is said to produce SQM-related data (Microsoft Live Messenger, perhaps) and see if it produces any relevant changes?

Monitor the key and subkeys, and produce a list of changes over time. Do things happen spontaneously, or is user activity needed? Correlate with other activity. (While a timeline is useful for a FA, it's normally a post hoc activity, and many timestamps mask prior activity. An FR wants as much as data as possible.)  
 

Page 2 of 3
Page Previous  1, 2, 3  Next