When is data such as RunMRU available from this key? does windows have to be running under a certain profile? I have an image of a suspect drive and in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ there is no "RunMRU".
Is it correct that upon shutdown data from HKCU is written to the users ntuser.dat file?
is there any way i can see this information with an aquired image?
> When is data such as RunMRU available from this key?
The HKCU "key" is a hive. The values beneath the RunMRU key are available when the user clicks on Start, and types something into the Run box.
> Is it correct that upon shutdown data from HKCU is written to the users ntuser.dat file?
Yes, that's part of a clean shutdown.
> is there any way i can see this information with an aquired image?
No, and yes. As mentioned in my book, "Windows Forensic Analysis", the HKCU hive is volatile, which means that it exists and is available only when a user is logged into the system…hence the name, "current user". However, you can get the contents of this hive from an image by selecting the appropriate NTUSER.DAT file; ie, the one located in the user's profile directory.
HTH,
Harlan
Thanks for that, you more or less confirmed what i thought,
OK so i'm viewing the ntuser.dat in FTK, what would the next step be? locate the RunMRU in hex?
Thanks
> …what would the next step be? locate the RunMRU in hex?
Sure, you can do that, or open the NTUSER.DAT file in RegEdit on your analysis system and navigate to the key that way (my book tells how to do this). Another method is to just use a Perl script to reach into the file and determine if the key exists, and if so, extract the data.
> …what would the next step be? locate the RunMRU in hex?
Sure, you can do that, or open the NTUSER.DAT file in RegEdit on your analysis system and navigate to the key that way (my book tells how to do this).
Could you tell me now please? I havn't got time to learn this from your book just now.
Another method is to just use a Perl script to reach into the file and determine if the key exists, and if so, extract the data.
Do you know where i can get such a script?
Thanks
> Could you tell me now please? I havn't got time to learn this from your book just now.
You're kidding, right?
> Do you know where i can get such a script?
Yes, I have one…actually, several. However, I am not a development shop, and I have grown weary of providing scripts via email to folks who never respond with so much as a "I successfully received the script" and a "thank you". I mean, really…I put forth the effort to develop and test something for them, and sent it, and didn't receive so much as a "thanks". As such, I've opted to put my stuff either online (SourceForge) or provide them via my books.
Harlan
> Could you tell me now please? I havn't got time to learn this from your book just now.
You're kidding, right?
Not at all, if i was in your position then i would be happy to help anyone on these forums even if it did mean they wouldn't give me some money right away. I was going to purchase your book before, just not today. Now however it seems very unlikely that i will. Perhaps you think i'm just saying that and its not the truth, but it is. You probably don't care, but nevermind.
> if i was in your position then i would be happy to help anyone on these
> forums even if it did mean they wouldn't give me some money right away.
It's not a matter of getting "some money right away" at all…I've helped many in this forum and others with no expectation of payment whatsoever. It's a matter of constantly providing these things and not getting so much as a "thank you", even when the person asking could have done their own search and found the information themselves.
It's interesting to me that you went the "money" route right away, even though I made no mention of it whatsoever.
With regards to your purchasing my book…of course I care. I wrote it in order to answer questions such as yours, and, in fact, it does answer your specific question. Do I care that you've now decided not to purchase it? Of course I do. However, I still believe that the technical viability and information in the book speak for themselves.
Thanks,
Harlan
I'm always very grateful for any help anyone gives me and i always let them know it. I realise that i could have researched this and found out for myself but i needed this information for a case i'm working on and i don't have much time left. It would have just helped me out thats all, i thought you wouldn't mind.
When i can i always do my own research, i enjoy doing it.
I didn't say i wouldn't buy your book…
> I didn't say i wouldn't buy your book…
A matter of semantics, perhaps…you said, "…it seems very unlikely that i will."