Windows registry massive LastWrite timestamp change

http//www.forensicfocus.com/Forums/viewtopic/t=6361/postdays=0/postorder=asc/start=0/

Thanks Fab4,

I spent some minutes googling - also on FF custom search - but couldn't find the interesting post you quoted. ?

Paolo

http//www.forensicfocus.com/Forums/viewtopic/t=6361/postdays=0/postorder=asc/start=0/

I sometimes happen to run across bunches of registry entries - e.g. USBSTOR related ones - which have the LastWrite date changed to a particular date/time. I cannot remind if the massive date change concerns only subsets of keys and if there's a regularity in this pattern. This kind of 'flattening' makes it difficult to derive for example the last insertion date/time of USB external mass storage devices, since it seems that every USB key has been plugged in at the same time…

I understand your concern, but the "flattening" across the USBStor key and it's subkeys does nothing to affect determining the last insertion time of the devices…it's widely known and publicized that the LastWrite times on these keys are not used to determine that information. Check the "Windows Forensic Analysis Toolkit 3/e", or the previous edition, or the SANS Forensic Blog for the appropriate procedure.

Have you ever come across such weird behavior? How do you explain such massive date change to a common value? I think that it might be due to antivirus registry parsing, or some tool such as CCleaner/antispyware which parses and cleans the registry. Any other ideas?

Did you create a timeline? Whenever there's any question of an activity occurring at a specific time, and what other activities may have occurred "near" it, a timeline is the way to go.

As linked to in the previous response, sometimes this observation has been anecdotally associated with an update.

HTH

Dear Harlan,

I've got all of your books and I'll soon order WFA 3/e. -)

You're right, actually I was referring to USBSTOR related keys but was talking about particular keys, such as Control\DeviceClasses and its subkeys. The USBSTOR, as you pointed out, does not contain last insertion times but vendor, product, version and sometimes s/n. I start from USBSTOR to derive the others, that's why I considered them all tied together.

Thanks
Paolo

I understand your concern, but the "flattening" across the USBStor key and it's subkeys does nothing to affect determining the last insertion time of the devices…it's widely known and publicized that the LastWrite times on these keys are not used to determine that information. Check the "Windows Forensic Analysis Toolkit 3/e", or the previous edition, or the SANS Forensic Blog for the appropriate procedure.

Have you been able to create a timeline?

I'm a "supertimeline addicted" wink - log2timeline is the first script I usually launch when I think it may be of use (i.e. 90% of cases) together with the good ol' fls+mactime and some of your scripts to get a quick view of the system state.

In this particular case, I haven't got the images at hand because the case is managed by a colleague of mine. I suggested a supertimeline of everything (including carved materials such as registry, events, docs, etc… which I often find invaluable) and I hope he'll be able to launch one shortly.

I wrote this post because when my colleague asked me about the 'flattening' I reminded of having come across such issue a couple of times, and I thought it was some antivirus/antispyware/update process who messed up timestamps.

Thanks
Paolo

Have you been able to create a timeline?

Well, there are a number of activities that _could_ have been responsible for the "flattening" you saw, but the only way to determine what was responsible is to create a timeline.

Yes,

I'm pretty sure that with a (super)timeline we'll be able to determine what caused the timestamp massive modifications.

Thanks
Paolo

Well, there are a number of activities that _could_ have been responsible for the "flattening" you saw, but the only way to determine what was responsible is to create a timeline.