Hi all,
I'm a little confused and hope someone can enlighten me regarding the Timezone data i've extracted from the registry. Data below was extracted from that SYSTEM using regripper.
----------------------------------------
LastWrite Time Wed Feb 4 171646 2009 (UTC)
ShutdownTime = Wed Feb 4 171646 2009 (UTC)
----------------------------------------
ShutdownCount
ControlSet001\Control\Watchdog\Display
LastWrite Time Wed Feb 4 171646 2009 (UTC)
ShutdownCount = 64
----------------------------------------
TimeZoneInformation key
ControlSet001\Control\TimeZoneInformation
LastWrite Time Tue Feb 17 181457 2009 (UTC)
DaylightName -> Pacific Daylight Time
StandardName -> Pacific Standard Time
Bias -> 480 (8 hours)
ActiveTimeBias -> 480 (8 hours)
Notice the timezone key lastwrite was updated 13 days after the shutdown time/date was recorded. My question is how can i confirm the time and date when the user yanked the plug from behind the computer? Please note when we got to the computer it was already switched off but no can verify when.
I hope i've explained it clearly and i hope someone can point me to the right direction.
MC.
Have you looked at the Event Logs? There probably won't be a specific shutdown event if the plug was pulled, but you could at least get an estimate based on when the last event was. This is of course assuming event logging is switched on.
All data, not just Registry data, needs to be understood in the context in which it is created and modified (with deletion being the extreme form of modified).
I think ddewildt provided excellent insight into the issue presented by the OP.
> …how can i confirm the time and date when the user yanked the plug from behind the computer?
Create a timeline from the system (see my blog for information on how to do this…); you may be able to surmise that if the plug was simply pulled on the system, then the last file system activity may correlate to that time.
Thanks all for the input. I'll check the timeline or the event viewer. )
MC
Why would you use the Event Viewer?
Have you verified the regripper results against another tool to insure regripper is providing correct results.
> …how can i confirm the time and date when the user yanked the plug from behind the computer?
see my blog for information on how to do this…
http//windowsir.blogspot.com/
Have you verified the regripper results against another tool to insure regripper is providing correct results.
This is a good post…what tools would you recommend for doing this?
Have you verified the regripper results against another tool to insure regripper is providing correct results.
This is a good post…what tools would you recommend for doing this?
AccessData's Registry Viewer, mounting the registry files in EnCase, Paraben's Registry Analyzer… the list goes on…
dccfguru…
None of those tools does what RegRipper does, so I'm not sure how the list goes on…or how there's a list at all.