Doubts about forens...
 
Notifications
Clear all

Doubts about forensic information  

  RSS
pimp
 pimp
(@pimp)
New Member

Hi,

I have some doubts about forensic information

1) Is possible to know when an account was created from registry keys?
2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?
3) For files and folders I have read it is possible to change date. How is possible to detect this?

Best Regards and thanks in advance.

Quote
Posted : 07/02/2015 11:53 pm
jaclaz
(@jaclaz)
Community Legend

I know this is "general Discussion", but maybe you may want to be a tadbit more specific on the Operating System(s) and on the filesystem(s) involved.

jaclaz

ReplyQuote
Posted : 08/02/2015 3:58 pm
pimp
 pimp
(@pimp)
New Member

Thanks jaclaz,

System operating Windows XP/7
Filesystem NTFS

ReplyQuote
Posted : 08/02/2015 4:48 pm
BitHead
(@bithead)
Community Legend

To your first question "Time" is a fickle thing on computers. Was the time set correctly? Can you verify the time was set correctly? The answer to your question depends partly on the answer to those questions.
To your second Yes there are tools to do this. It is possible with investigation of other remnants to detect.
Third Again, it is trivial to do, it takes work to detect.

That said my answers are vague because your questions are very vague. Answering these types of questions takes authors of books on forensics several pages or the combination of pages from several chapters to answer.

The purveyor of this site has provided some helpful guidelines for those asking questions that are immediately above the pane where you typed your questions. Can you provide answers to those two questions?

ReplyQuote
Posted : 08/02/2015 6:44 pm
Patrick4n6
(@patrick4n6)
Senior Member

My forensic training and experience includes how to parse the Windows Registry with a hex editor. So therefore I have the knowledge and ability to change values in the Registry if I so choose.

That said, I would never do that on an actual case since it would be unethical.

ReplyQuote
Posted : 08/02/2015 9:24 pm
keydet89
(@keydet89)
Community Legend

1) Is possible to know when an account was created from registry keys?

Yes, it is.

2) Is possible using any tool to change LastWrite registry keys? If it is possible, how to know?

Not "any", but yes, there are APIs that can be used to change key LastWrite times.

I'm not sure how to answer the second question. I know it's possible because I've seen the tool.

3) For files and folders I have read it is possible to change date. How is possible to detect this?

As with other aspects of digital forensic analysis, one should never simply hang a finding on a single data point. Rather, findings should be based on the sum total of data points.

For example, lets say that someone creates a user account on 6 June 2014, and modifies that Registry key LastWrite time for that account to read 9 July 2014. This would actually take some doing (i.e., escalation of privileges, etc.) due to what would be required in order to do this. Then, on 8 June, they log into the system using the account they created…at that point, the profile is created. So, you have a couple of data points that suggest that the account was created on 9 July, but here it is a month earlier and you have the profile created. Also, depending upon the audit settings on the system, you may have Windows Event Log records that indicate the account creation, dated 6 June.

With respect to files and folders, the time stamps within the MFT record can help tell the story, especially when combined and viewed with other data from the system.

HTH

ReplyQuote
Posted : 09/02/2015 4:50 pm
jaclaz
(@jaclaz)
Community Legend

Not "any", but yes, there are APIs that can be used to change key LastWrite times.

…assuming that the Registry is "online", but a plain hex editor (and some pretty much accurate work with a calculator wink ) would do nicely if it is "offline", as hinted before, and possibly some scripts together with offline registry tools…
From the mouth of the wolf
https://msdn.microsoft.com/en-us/library/ee210757(v=vs.85).aspx
and actually put into practice
http//reboot.pro/topic/11312-offline-registry/
might also do nicely, while - notwithstanding the fact the noone 😯 is interested to this approach (which BTW is the "right" one wink )
http//reboot.pro/topic/7681-the-registry-as-a-filesystem/
it would still be possible to make mincemeat of any Registry…

jaclaz

ReplyQuote
Posted : 09/02/2015 5:38 pm
keydet89
(@keydet89)
Community Legend

My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.

What would be some possible scenarios where modification of the offline Registry might occur?

ReplyQuote
Posted : 09/02/2015 6:01 pm
jaclaz
(@jaclaz)
Community Legend

My reply was for the "online" Registry because, as you stated, modification of the offline Registry had already been hinted at.

What would be some possible scenarios where modification of the offline Registry might occur?

I thought that the underlying question was more along the lines of "Is it possible to tamper with Registry LastWrite timestamps?" in the sense of "How can such timestamps be altered (one way or the other)?" or "Can such timestamps be relied upon during an examination?", the typical scenario would be someone altering intentionally those timestamps to either hide activity on the PC or faking that an activity actually took place on a given date/time.

Is it possible to tamper with Registry LastWrite timestamps?
Yes.

HOW can such timestamps be altered (one way or the other)?
EITHER when the Registry is online using some API's (keydet89's suggestion/idea) OR when the Registry is offline BOTH with a hex editor (Patrick4n6's suggestion/idea) or possibly by using some specific tools (jaclaz's corollary) that may (or may not) be used as they are or need some modification/changes.

Yes, OK, but HOW EXACTLY?
As an example, see following post by Joakims ) and his nice tool
http//code.google.com/p/mft2csv/wiki/SetRegTime

Can such timestamps be relied upon during an examination?
No, they should NEVER be relied upon "on their own", they NEED to be put in the context of a FULL system timeline.

jaclaz

ReplyQuote
Posted : 09/02/2015 10:17 pm
joakims
(@joakims)
Active Member

The SetRegTime tool can modify the LastWriteTime timestamp in the registry on mounted hives; http//code.google.com/p/mft2csv/wiki/SetRegTime

ReplyQuote
Posted : 09/02/2015 11:34 pm
jaclaz
(@jaclaz)
Community Legend

The SetRegTime tool can modify the LastWriteTime timestamp in the registry on mounted hives; http//code.google.com/p/mft2csv/wiki/SetRegTime

Very good ) , updated previous post.

From the given tool's page

My goal is to shed some light on the reality that registry timestamp manipulation is in fact very trivial. As a consequence it further reinforces the importance of proper (timeline) analysis, to get at the full picture and detect such attempts at timestamp modification.

jaclaz

ReplyQuote
Posted : 10/02/2015 12:25 am
AshishSingh
(@ashishsingh)
Junior Member

Hi,

• After logging on to a system, a temporary profile gets loaded that shows when an account was created. I guess that can prove to be helpful.

• To make significant changes to the registry keys, export your changes to a .reg file and follow them -

1. Click Start –> Run
2. Type regedit in the pop up box
3. Click File –> Export

Regards

ReplyQuote
Posted : 10/02/2015 9:28 am
jaclaz
(@jaclaz)
Community Legend

Hi,

• After logging on to a system, a temporary profile gets loaded that shows when an account was created. I guess that can prove to be helpful.

• To make significant changes to the registry keys, export your changes to a .reg file and follow them -

1. Click Start –> Run
2. Type regedit in the pop up box
3. Click File –> Export

Regards

Wow. 😯

Wouldn't these info be way too advanced to be posted on this thread? ?

jaclaz

ReplyQuote
Posted : 10/02/2015 4:26 pm
Share: