Digital Forensics & Incident Response & Reverse Engineering
This is a reply to the Sunday Funday 12/30/18 challenge.
The following results represent an attempt to understand what Windows components write to the Syscache hive in a Windows Server 2008 R2 SP1 installation (64-bit; with updates installed as of January 3, 2019).
Since the “Last Access” updates are almost back, let’s revise the consistency of last access timestamps present in NTFS file systems.
There are some misconceptions about how and when these timestamps are updated.
Continue reading “The (in)consistency of last access timestamps”
The purpose of this post is to record the recent findings related to the NTFS “Last Access” updates in Windows 10.
In Windows Vista (presumably as of Windows XP SP3), NTFS no longer tracks the Last Access time of a file by default.
This is no longer the case in the recent versions of Windows 10.
Continue reading “The “Last Access” updates are almost back”
The purpose of this post is to record the recent findings related to artifacts of execution and artifacts of executables present in a system. No major details beyond what was posted on Twitter.
David Cowen began his public testing of Amcache artifacts found in Windows 10 operating systems in Forensic Lunch Test Kitchen 11/16/18 (be sure to watch newer videos on this topic).
During these tests, it was found that the Amcache hive may have artifacts for executables that weren’t executed at all. There were other interesting findings outlined in the videos, but I will not focus on them now.
If you don’t know why transaction log files are important when dealing with registry hives from installations of Windows 8.1 & 10, please read this and this.
In this post, I will talk about an easy way to programmatically explore intermediate states of a registry hive using its transaction log files.
Continue reading “Exploring intermediate states of a registry hive using transaction log files”
A registry hive is very similar to a file system. In fact, there isn’t much difference between a file system and a registry hive except that the registry doesn’t follow usual file system naming rules.
Like a file system, a registry hive can contain deleted data, which is often recovered and used in digital forensics, incident response, and similar activities. But tools that recover such deleted data aren’t the same. And here is why.
Continue reading “Tools that recover deleted registry data don’t do the same job”
An offline antivirus (AV) scanner is used to scan and clean a computer while its usual operating system isn’t running. Such scanners are often launched from a bootable USB drive or from an optical disc. Some scanners include a component to scan and modify the inactive registry of a Windows operating system.
What happens to the registry when a user performs such a scan?
