Notifications
Clear all

Registry query

25 Posts
11 Users
0 Likes
1,376 Views
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Hi all,

I'm a little confused and hope someone can enlighten me regarding the Timezone data i've extracted from the registry. Data below was extracted from that SYSTEM using regripper.

----------------------------------------
LastWrite Time Wed Feb 4 171646 2009 (UTC)
ShutdownTime = Wed Feb 4 171646 2009 (UTC)
----------------------------------------
ShutdownCount
ControlSet001\Control\Watchdog\Display
LastWrite Time Wed Feb 4 171646 2009 (UTC)

ShutdownCount = 64
----------------------------------------
TimeZoneInformation key
ControlSet001\Control\TimeZoneInformation
LastWrite Time Tue Feb 17 181457 2009 (UTC)
DaylightName -> Pacific Daylight Time
StandardName -> Pacific Standard Time
Bias -> 480 (8 hours)
ActiveTimeBias -> 480 (8 hours)


Notice the timezone key lastwrite was updated 13 days after the shutdown time/date was recorded. My question is how can i confirm the time and date when the user yanked the plug from behind the computer? Please note when we got to the computer it was already switched off but no can verify when.

I hope i've explained it clearly and i hope someone can point me to the right direction.

MC.

 
Posted : 08/09/2009 10:40 am
(@ddewildt)
Posts: 123
Estimable Member
 

Have you looked at the Event Logs? There probably won't be a specific shutdown event if the plug was pulled, but you could at least get an estimate based on when the last event was. This is of course assuming event logging is switched on.

 
Posted : 08/09/2009 12:39 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

All data, not just Registry data, needs to be understood in the context in which it is created and modified (with deletion being the extreme form of modified).

I think ddewildt provided excellent insight into the issue presented by the OP.

> …how can i confirm the time and date when the user yanked the plug from behind the computer?

Create a timeline from the system (see my blog for information on how to do this…); you may be able to surmise that if the plug was simply pulled on the system, then the last file system activity may correlate to that time.

 
Posted : 08/09/2009 4:42 pm
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Thanks all for the input. I'll check the timeline or the event viewer. )

MC

 
Posted : 08/09/2009 5:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Why would you use the Event Viewer?

 
Posted : 08/09/2009 6:52 pm
(@magicm)
Posts: 8
Active Member
 

Have you verified the regripper results against another tool to insure regripper is providing correct results.

 
Posted : 08/09/2009 7:10 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

> …how can i confirm the time and date when the user yanked the plug from behind the computer?

see my blog for information on how to do this…

http//windowsir.blogspot.com/

 
Posted : 08/09/2009 7:45 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Have you verified the regripper results against another tool to insure regripper is providing correct results.

This is a good post…what tools would you recommend for doing this?

 
Posted : 08/09/2009 7:47 pm
(@dccfguru)
Posts: 22
Eminent Member
 

Have you verified the regripper results against another tool to insure regripper is providing correct results.

This is a good post…what tools would you recommend for doing this?

AccessData's Registry Viewer, mounting the registry files in EnCase, Paraben's Registry Analyzer… the list goes on…

 
Posted : 08/09/2009 8:27 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

dccfguru…

None of those tools does what RegRipper does, so I'm not sure how the list goes on…or how there's a list at all.

 
Posted : 08/09/2009 8:30 pm
Page 1 / 3
Share: