Regripper question

How did you decide which reg keys to focus on?

Easy…whichever keys have been pertinent to an examination.

To be honest, I'm not sure how best to answer that question without knowing more about what you're looking for in the Registry. I and others have documented to some extent (in both general and specific terms) what can be found in various hive files, so it is then incumbent upon the examiner to determine what they're interested in.

Does that help?

The next two questions are more important. Below is a snippet of data from an NTUSER.DAT. I have lots of data in the 5603 subkeys, and 5604 subkeys, but nothing in the 5601 subkey. Since 5001 subkey is Internet related I would think that there would be entries there. Is that normal, or can that value be cleared.

A great deal of information in the NTUSER.DAT file can potentially be cleared by the user.

I'm not at all clear on your assumptions with respect to the 5001 key…I haven't seen many entries in that one at all.

Not sure what you mean by the "5601" key.

The next question is when there are many vaules as listed in any of the entries such as 5603 subkey what entry does the timestamp coorelate with, the first or the last.

5001 [Thu Jul 19 202111 2007 (UTC)]

5603 [Mon Jun 23 191213 2008 (UTC)]
000 -> AppC.*
001 -> AppB.dll
002 -> appA.dll

The key LastWrite times correlate to when the key itself was modified. In the case of the 5603 key listed above, when the term "AppC.*" was searched for, "AppB.dll" was moved from entry 000 to entry 001 (the same is true for successive values) and "AppC.*" was written to the value named "000". This specific question is answered on page 175 of my book.

HTH,

h

Keydet89,

Thanks for your info on this. With regards to " I and others have documented to some extent (in both general and specific terms) what can be found in various hive files, so it is then incumbent upon the examiner to determine what they're interested in." do you have any references on hand that you can point me to? I have read and used your Excel spreadsheet that comes with RR and found it helpful, but I am looking for more or another perspective.

With regards to the 5001 key, I guess I was looking for any Internet related data that might be present, URL's etc. The 5601 was a typo, it was suppose to be 5604.

Thanks,

Thanks for your info on this. With regards to " I and others have documented to some extent (in both general and specific terms) what can be found in various hive files, so it is then incumbent upon the examiner to determine what they're interested in." do you have any references on hand that you can point me to?

Sure…not to sound flippant, but there's my book, MS's search utility, Google, and testing on your own system(s).

I have read and used your Excel spreadsheet that comes with RR and found it helpful, but I am looking for more or another perspective.

I'd like to help…can you describe a bit more about what you're looking for? What other "perspective" or information are you interested in?

One of the biggest issues I find in our "community" is that there is very often little in the way of communications; not just in what folks are looking for, but what they've found, as well.

With regards to the 5001 key, I guess I was looking for any Internet related data that might be present, URL's etc.

Okay, gotcha…I had thought as much. However, originally, you'd said, "Since 5001 subkey is Internet related I would think that there would be entries there.", which seemed to indicate that you expected to see something there. One has to understand which user actions cause keys or values to be created, modified or deleted.